23542300x800000000000000010960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:06.674{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA598E6D3CB2BA3118606ECF6F8AB369,SHA256=4DB9A96D27F860412E48E160308539CC2A0A44572EFBF98550D40FA841C6C89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:06.650{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78F84DF37163463496D6203605290CF,SHA256=21BC0312DBB90A74E429D37E9B9993E533C9E7124F7CB3C921C8BE00F0B0D550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:06.403{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-013MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:02.473{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49854-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000010962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:07.745{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD751191CABDD3407CF5B0DE78A2D58,SHA256=3E7D6295A9B80EF67E3CC1EF9EADF450C477768190B178E474653AB7FE1326BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:07.735{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8B6BF841D2CBC31278AD8EF26933A6,SHA256=8358BF7BEB779ADF5973C1F77A226715AD43735D27D5C39EEDDE0A567E59A45E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:07.404{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-014MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:08.834{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BCB8F538C8E49A57C67F913A021FEF,SHA256=8176E980050CB1769E63537B8D164B62CBA1806918B62059783398F5DACCD17D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:08.821{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07921783420B046AF4AA0CC26682D8A,SHA256=EF5B1E4D4EE4273D669C536166553031D0FA1940741F1D94CEB3E02E7ABB1BC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.995{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.985{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.973{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.961{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.949{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.921{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.916{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.908{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.902{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000010967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.899{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E7BBB4E3E8B35F275E0027235D9BCA,SHA256=E08306852D69DBE4492C29A52C79B780E3FE8A26DCC1E497914A9DD49713D63A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.891{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.885{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.883{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.101{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-35A8-63C5-3501-00000000B002}2596C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.099{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.095{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.094{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.089{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.086{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.085{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.083{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.082{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.078{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.076{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.073{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.070{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.062{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.059{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.050{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.037{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.013{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.009{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 354300x800000000000000027242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:07.515{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59193-false10.0.1.12-8000- 23542300x800000000000000027241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:10.037{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD19015C3464E05BB71A6A0BAB4F8BD,SHA256=1B0E21A1043E0BB6F8C3FBE5B942484546FA6959D72A3E6E5D562BEF24A1581B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:11.472{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BAE1D5553E0353BC89274D7159C9C1,SHA256=B378FEC3F412A17DB4854885F031EFA5A6E647D63E89A0C46AD0287118D5ABA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:07.653{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49855-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:11.139{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA93EC0752AE194B464DBB72C66F709F,SHA256=339FEC1D61EC2443DA9AB0623504171E058B5372ED337571ECBA2C0BF9A0CAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:12.284{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BE42A538ECAAE177CBB1A4AD1E8528,SHA256=DF41EBCFCF6E2791F623398608266B91347384E5B6BA60D1C58585EF241E47CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:12.239{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B009864C6CDA4407095B8A9D89E66FBE,SHA256=9D5B7388EA19AEDDD5298A3952CFA9955904319B30E9626B242385333D6FE4E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:10.227{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59194-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:10.227{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59194-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000027245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:13.341{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6BF258A8C99438B880D86E7DE80D03,SHA256=EDC6A65D4FD71C278B4D3D8EDFBF6DA154B76434032DC668A392CF6CD975B6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:13.361{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080C67A900B181E3CB9D644070D44CAF,SHA256=AF436FD8720457032D427EBED7E7787DB5FCE23AD8F497B6D0B33C3772F87E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:14.436{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C178A6CD1D6611B680C56A55EE892A1,SHA256=F1A7C259FDD5A4E9DE9C2D4A06632B7F2CB3B87D19056753E6E2FAA05C267BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:14.433{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EA6908E0013E792CFAD6793A9D75E6,SHA256=88B78C66449DDC71F787DA2BB23EFF764CA20546A314B6264D4E3A2928B3F8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:15.521{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030BDB1639C1DD54B77CD2694FEC118E,SHA256=24B06F874BD3A2EBC4F7F15423171DC847BD4C92DB48115B5D19B9CE18BDDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:15.537{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6C8ED164A1CD7D07E0A5245CF5DC38,SHA256=D483E517B8825CC2A7590592ADC046A6AE0ED17EB70E506E513D1E5469C2CDE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:13.599{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49856-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:16.607{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4F1B4B546A50114A4ECC6968401DD0,SHA256=BFA17A3AFF874BC5C971D7E0508F99FC8F48A5B1D496CEC362ADAED8BAB2E296,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:13.513{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59195-false10.0.1.12-8000- 23542300x800000000000000027250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:16.635{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA7CCA5E19BFDD98323E75E9A0C1BCB,SHA256=45336F7D0E3887924F15BFD059D0DAF59C322FC39CF018008382EBE416F50FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:17.698{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9EB4E4046B465974AE2CEC1549F771,SHA256=FA55F0DDD57A67268FC072BD4611D8AE77DB9A54D14676C29FC4E176556A5DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:17.736{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EECA121B3A0712B1F3D9A15466FDBFC,SHA256=B0F45C3E717D06CB5C879BB7C28D92D5DC2879A5278E8D9E5EF18FC20117B010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:18.772{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D626B4F806F0895A168A7778CAEF90,SHA256=31E0CA0A1063B4805D9F808F8FDEE80C131E91C75AABC1C1BEE6BE7ED5EF42C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:18.838{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C1C67757B2F81089209F003BDBD915,SHA256=0BCA09C9FA2F24E00970E972A94B8C1BC003BC455BEBB7F028F653E9CA9FC56B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:18.662{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:19.932{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113CF1F30B8BB42FAE13B1120D8E8729,SHA256=8ABF5E73F7E434B72637CF961EFC811A01F02F65B5DC847D3ADE38B3FDD4318E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:19.862{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199A7D63B4007C8072DB3E465B3B37CB,SHA256=95A81855CEB1AB7C857F9833F46AF5E7031F9A7A33B61F34A898AED34821FA97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:17.060{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49857-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000011009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:20.924{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3330A62D703ADA0D76F591F18C34830,SHA256=B55C384A7F67F553D990F33A022D2B3F32994ED41671135CDFD75DCF6603DEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:21.997{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB9F4F141AC182F11B359F5428FAF95,SHA256=8D9EBF40BA5C5DD1D5EB8040E626962CEF243641D0A86C42E9A3483A9865C779,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:18.671{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59196-false10.0.1.12-8000- 23542300x800000000000000027255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:21.024{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43E5AB93EE36551E3C52E76D1D9394B,SHA256=554330E8832A08D6F5FD7C390FDFF4D960C970E095C7E42E9068537FA673AC90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:19.556{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49858-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.613{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.608{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.274{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.265{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.262{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.261{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.233{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.221{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.212{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.206{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.200{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.171{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.163{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.153{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.147{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.131{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000027259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.116{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F3C23CBE103582EF22F1F7DCC1DA32,SHA256=8C411FC6844DAF7EAB25CA78ABAD70B6B2E291EC8C8441BF9857463FB3FF9784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.100{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.799{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000027287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.546{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.170{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4A8F9DD589A76A4076053CACE9806C,SHA256=31B359E13BF0104D1CC58AE1D9889DF0F0776819A40830988C97AAC2BAAA2683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:23.063{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDE1984348974E8C25AD58309391580,SHA256=E2B7D1564B087A5F878D39BAC07F973F088F76C179870E9320DE3D57852B8EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:24.143{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BBDD2482163C87F48EF6EE4D429157,SHA256=5D97332990E5804C02BBAFEAD6936014CD6D295579D6EF9DD3A3E14BD854DD95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.899{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.899{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0A541BFEE90E6264195A4A86A1831E,SHA256=3A0F3F710CDA9661ECFE8B571F3B43973110FF84320B192CDCDACE35659E68CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.896{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.896{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.896{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.644{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.643{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.640{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.638{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.637{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.631{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.394{FCCA13C7-36B8-63C5-4805-00000000AF02}51363960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.269{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF999587433A7F62CED2F4BCEF70EEBA,SHA256=6A8413B9EBDDA6438F273A9F5A4A59EC6275100F4102C8C67C29FA48F37ACDE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.238{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4A0DCCDC43B45579D88DBCCAC61C7299,SHA256=039AE728C2E391E122F0AF3C2BA209D0066F13949D7FB4FC654B875E788333AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.098{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8E4DAFD274512A485C5991DDE4DC1613,SHA256=CE310C0AF470CA36B96BC3416EAD95C6DB3DA4D7B04BA9793FE1D55D355D7C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:25.235{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591E0DBA04B3A20C6B13E7A018FEB68F,SHA256=AE32E8E626203A1BCF2B2496B9D990517D77BE240034E8FDE739F81F8A22EF42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.745{FCCA13C7-36B9-63C5-4A05-00000000AF02}61767104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.563{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.560{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.560{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.558{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.292{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C409D893FCB84973F14E3A144690CB,SHA256=1665BE9022AA900AD0EEC1387DF18376263041A413BA1CEB30671115B94939C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.237{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.223{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.220{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.189{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.171{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.170{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.167{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.165{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.159{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.158{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.157{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.156{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.553{FCCA13C7-36BA-63C5-4B05-00000000AF02}65006804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C62F49F0231036B892D9D62D5F09E7,SHA256=A08B56FAB220EB5C03EDD210A385474D4B9D089091E0752F8E6BDD47E959395A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.351{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:26.327{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE43497A38BAB31067DEF2F111CAC3F,SHA256=A7796E935F24D5246B57EE767ED3041DBEC1054481F040F9F9C692DBE732B2A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.277{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59197-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000027344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.277{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59197-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 23542300x800000000000000027365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.440{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355392B77B42D12BD4C8D863A5A0AC3E,SHA256=1FF0EA0EB90843B200F5BF5C57631EA9EF9E2981432731F0D2A2133317300EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:27.417{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CABD241F934A1CCF64E08833A8C9B3B,SHA256=515EE87147CF1ED078ACF3348AC2B38107A2325A2C17377915502CA72E6624C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.216{FCCA13C7-36BB-63C5-4C05-00000000AF02}66126952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.023{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:28.531{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBADE6D73021DB8F91B8EAC5DF41C8D7,SHA256=A5181142231935F15E2D73D7EB938F8B8BEE2A75FD252B4DAE872F5CB1F88937,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:25.515{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49859-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:28.500{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020A433416B7BDC39D249DD8AA665657,SHA256=287935AEDE81F60B1520C33C2C1A8F0E255A485CD7B858855B41511811355C40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.509{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59198-false10.0.1.12-8000- 23542300x800000000000000011018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:28.219{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3C68F3B941A6C8ACCD2714F132736C3B,SHA256=B9FF410D0DA9E7BDD30AC4543482B2EC31A07D9A5134446F158C67F4411BAD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.602{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F176912BF88555C682B282FEEB2BB22,SHA256=A632A3F7201F030695EE54C96F9067C11943857D714155AE93FAFD21018CED59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.993{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.984{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.973{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.963{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.933{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.928{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.920{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.913{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.898{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.889{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.886{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 23542300x800000000000000011021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.576{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606C332CB57568B972260836DAC321F8,SHA256=AC219E389206FDF414D6E88407B3ED7A16359938F9F98F04908E89B95F90B830,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.049{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.696{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFF3FC6A7D8FFD853F2502EC5AA8BF9,SHA256=331F7628DDF33CCF7C0465D1FCAFF58B0B0A1B8573883DCEADDA8327873E98A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:30.702{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294293942F28EC5C6E74FE634A47408E,SHA256=EF8BF955DA5EB3C47F69452D4DD0F3E323A203D24170201F4CE30B6D0A490186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.089{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-35A8-63C5-3501-00000000B002}2596C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.087{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.085{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.084{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.080{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.077{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.076{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.075{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.075{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.071{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.068{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.067{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.065{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.062{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.056{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.052{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.042{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.032{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.015{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.012{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.003{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 23542300x800000000000000011055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:31.974{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E7D1143858CD1DD89D4E03A9456C92,SHA256=3E1A596077838CB3939ACAB46891B98CA4C3DA7047D68DC561BA68E06B2E44C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:31.789{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805B28CDFD14AB51662ACC718597C9E9,SHA256=FE4CD20BE555825D6FE733BE0DEB800FE5589B3DC6402CE6C12AB4616A294ABC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:32.917{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:32.855{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D74F486E4123CE07DF933DC832C953,SHA256=6E6BA8C61189042F3EA99EDB849152F9AA2A924668BF72DE04F5A2FC9CEAB6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:33.960{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB92A6A9A615EF8C477DF5F1B7AEFF0,SHA256=7772B223B3C8CC6AA3F9A8AB5D8D97BB3C110BE9B8B17F5C353B1CAFF5E47170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:33.037{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F0AF82F2B86D26A587CF0CAC09F895,SHA256=C2A20F5896E16ED1150E0CDFB760B66A5EC99B594EE2347688463D8B7B253878,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.539{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59199-false10.0.1.12-8000- 23542300x800000000000000027383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:34.809{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-023MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:31.431{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49860-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:34.124{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1055D72E73157002C9F5DFAD12AE3E1,SHA256=A6041DA89FFDEF3CC112A08E9B963C9F170E4A41877A56242DAFCCB138C1DA16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.936{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc" C:\Users\Administrator\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 23542300x800000000000000027385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.816{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.078{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D6E6E4FB82C3C4AB177D7A8C667A94,SHA256=0C1B908216E31BE7F429920A102787D94926C97E39804CBF0BE8DFBFE548F132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:35.192{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B238AA1BB222869C7B1FC8163B4F7EDB,SHA256=F9A5201F9ADD06C13801861EA734CA577B364A04005D529FF4BE0E4607FB1C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:36.840{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:36.840{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:36.280{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269A0B85F39EF9C3CB0C7B97CF5233B3,SHA256=02784D6021634AD9FFB30C2A3F6CA515DE88F6DEF8B0C01891CF843B81EBDFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:36.280{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CFB0C7CB8EE097804C12F63AF51D5E,SHA256=54A54E342EC01887F037E61F13AE92A2504A52AD85EF4364A17AB14C7287F756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:37.376{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B0F041A005BBAE18356AF3A9F7ECF2,SHA256=45D8A52B53C8714CB5A26DB74ACE0BC9E53D55505F9317FF68F3987B0BF285E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.377{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C80E9ADDCFA53E901C8B4229A7DC10F,SHA256=7E446E26D35BE4C86320D1B4FB764FFFDCB6BF69D533BDFC9C7579846ED0D121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.362{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.362{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.346{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.346{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.331{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.331{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:38.434{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BE5237A226D0DB7816D64FED318CB3,SHA256=0D7122F68165E76B559F255F289692DE4C2244DC15A8EC003C19739BAD0E791E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:38.350{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFBA9F2E3405BC17012639C0B0804CC,SHA256=47CD27745CEFEE1A15A02E54F98B0742E1BEE01631F1390F9770E6AD02D95CF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:34.647{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59200-false10.0.1.12-8000- 23542300x800000000000000027401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:38.209{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=305CC5275EBC68A9F1AF8FE344588D0E,SHA256=95A62A74E3F1139DA2C858ADD1C39B94CE9488BBA7876AB750F07BB38A274639,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:36.623{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49861-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:39.515{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B186A1FAEC1CAC22C29B05BE90A9EB,SHA256=1A7FEEB794142EC63E7C7890308ECB85185CECC951000AF42624A9098D1A3481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:39.453{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE946EB83C6F2E02097AF5D6C3A737B,SHA256=5EE536F23A8E4014B47E1C57ECEAAE2B791E30C00648E45BAC112EE4C3A392CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:40.594{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415C56EC7981C6F4326A842D927D316C,SHA256=906A495FCA5A5190A3D78B6A97FB8DAFE534A05602FEA31AB1E6D88DB4EC6115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:40.541{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA1C2178EE8475E25DFD2DCB9330797,SHA256=AEB5BD2AF2AD394CB048FC02ADB0A71B48600D074EB826FDBBF06C277E477896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:41.674{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D535E8D6528F5C70D4611E1FA9D8747,SHA256=77C0E47A5460DAF54925ECC3E3680EC924FD40724732E047EEFDD2935A716B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:41.636{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AD7EA69DAAD9D62C906A74DEBC6E7D,SHA256=829620ABDBFD2EB5C01B06C06FD02F6769B97B5B8857D93561E7AA81E048876E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:42.756{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226FDF575B96030DC7FE4CD92D0B6A13,SHA256=2D72C7169360303C2736A63F278280D4203E183C8A58451839DE08B9CDAB56B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.687{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5A35E7300317B8104068528154BAD2,SHA256=467BD280708547A80A7622F617CA2EC98F239F829378E4815AA6B4EDF97DC9A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.566{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.561{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.259{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.253{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.251{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.249{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.221{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.204{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.198{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.193{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.160{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.152{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.146{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.131{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.099{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:43.829{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68075B2BD7FF8DD98E7AD374AB04F10,SHA256=BB53D4AE2B47C62155A620D52F2D418662DB6B79AE39B15298C6C9095AA7A85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:43.869{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=76C883637A4F73671B74E9F16481A76B,SHA256=526728C2339DCE67E2FC84D37CEC1733E1AEF6E1BD9A40CB906F6E8D3D5DA7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:43.790{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC063771E9FA56B86DD966BCACEF173,SHA256=4C47EC2F37A22E8802F6D8C3A6FB3F9549C795E54F0E1CA14257E73F0FA4EC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:43.688{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=981973F796C6C0EB2EB7DE03C239E69A,SHA256=D218F57F6076EF372ABB20F71F9EDEEB9C2CB1AA8745480613534EF565F06233,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:40.656{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59201-false10.0.1.12-8000- 23542300x800000000000000027438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.888{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0450475B4817D270C66A0FBF5FE3397E,SHA256=4A67CFCAB38E892BEBF3D701C99081EABC5D9ED2D5215D9FA6BD32E4734DAC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.612{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.611{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.607{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.605{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.604{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.598{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000027497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.990{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032575611C574A00090B93FB195001C4,SHA256=43FC5120229768AEBF4DFDC87372E7C9CEDAE4F2243FB19D354B46A9321522D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:42.610{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49862-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:45.018{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D91C62268400229195897F04041751,SHA256=93BD699F54FD8D2426E522A7702E1E0D50D13EEFE38D473F87A434C69E7FDFFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.624{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E0353BD86E4B24634A3F86DAA3CC74,SHA256=A800FAC9C664231834DDCF9862904C33B784630C1A04D81C5C64C4AE24B1F55E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.208{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.200{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.186{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.140{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.135{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.134{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.131{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.128{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.127{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.124{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.121{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.120{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.120{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.119{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.117{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:46.098{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C274BE59A5ECF0AF20E81416FA29BA46,SHA256=43B8D83B2AF9E9C49124AA7B30B1D8E927738C5E8205391FD3E0CB49017483A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:47.183{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF0AC70EBA985FC645780DEF68DDE58,SHA256=F03551B9C4905DC4332D85342FE7D5710BA60B220422D48E29B6313BDEC505CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:47.074{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300F63791DF67041CCBAC3958BF948DB,SHA256=D95012A68091926D31C1C76667C4EF1A7D5C06A8BCF591DAF24EBF3BE211F117,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:45.110{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49863-false169.254.169.254instance-data.us-east-2.compute.internal80http 23542300x800000000000000011074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:48.254{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D7CA76EBCEF2474C9F2409755496F9,SHA256=D94749D269670C1DA4DD39B3FE34B9B59817F5742031E001B98E63B5E9EC8FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:48.179{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-ctus-attack-range-221.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000027500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:48.148{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176C:\Windows\System32\mmc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x800000000000000027499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:48.163{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3807A410C3B5B46645E3EFCA0CF722F,SHA256=2CA56162B36818D371CBF9B844041ED8F0B5852055F2C864CDD8200AB3AEC2B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.998{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.992{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.983{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.952{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.946{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.941{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.934{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.920{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.913{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.911{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.329{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7815C63073CF0A823275ED1B68A7B1,SHA256=D7FF2E1BA16A70A727340E8E2F4DD48214FC840C48CDF6B5F56E25D60A6A0126,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.617{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59203-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.617{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59203-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.546{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59202-false10.0.1.12-8000- 23542300x800000000000000027502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:49.262{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B7519E7CB4CAE7E9C17D1135D48D9B,SHA256=DEF06AD7ABD72605D69054E9A646EDC6C2F7D14AD6F05174CCC6CE02D73F15FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.878{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC86BFC8A6B781052C6028FEBE438BF,SHA256=25584B222AAF0A94B27186903F36199868F52B3A0C0ADBA341DA99984B65A859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:50.352{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3754AC6694515AA787DEDC1BAD20D711,SHA256=BEAE5781B4920FA4F6BEB9124A8269BC85DCC76E494651C6054C33541F02A0BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.086{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-35A8-63C5-3501-00000000B002}2596C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.083{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.081{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.080{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.077{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.074{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.073{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.071{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.069{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.068{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.065{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.063{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.058{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.055{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.050{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.044{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.029{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.025{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.011{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.003{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 22542200x800000000000000027506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.634{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176win-dc-ctus-attack-range-221.attackrange.local0fe80::5d46:b69e:195c:9972;::ffff:10.0.1.14;C:\Windows\System32\mmc.exe 23542300x800000000000000011111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:51.987{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0221D6B8F02C4A3C7C81C7C210D04198,SHA256=138295E1A1BE546553168BC0998E76F936F72B71CDEA64DAF06B8D5D9E368F1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:48.564{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49864-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:51.450{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26445F231BFB919210791C19BE613461,SHA256=1DEEB6ECC91F8E623189DF6BF2DA2BCCBC0E02A32403AFC3FF4623214AC72905,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.944{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.944{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:52.533{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EA27A2959274146589FDAD6B01936C,SHA256=B113D6FDC335AF913561D718BBDA4EBA29F6CA33399A7D13AC41C82F0260DBC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.928{312A7A06-3345-63C5-1000-00000000B002}9442624C:\Windows\system32\svchost.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.913{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.875{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.977{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D5D81DB9EAB2AC1F9FF9CB9557F2E16,SHA256=E271B6A18D245981FFB5C06BB0CD5C5875DA8DC69518EEC543A87D3A55E27E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:53.633{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68ED4FF0CF6DAE8DDA0C01B378B3ADE8,SHA256=546971CEF1977A1AC26D1B591FEA14B9D890FC3039ABAA78A59E1AB2C576D458,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000011141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:36:53.618{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9299e-0xd4d11968) 23542300x800000000000000011140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.274{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0AE4FBBF1E79C8BC98CA3AE091949C5B,SHA256=F9B1155061621DB7A8BF0D06260844F44BFB4CCD37A4932A67F9516A63AA5F40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.185{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.185{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.185{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.182{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.182{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.182{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.181{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.181{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.180{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.179{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.179{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.179{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.178{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.178{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000011122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.051{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE4E9BF10352ED6BBE1255DF59ECE89,SHA256=D3E40036433B6FFFFE212CEBDE7A1AAD974DEFA7A69B3D612272241AB46C4BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:54.734{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7711CF7A3A85AE0EFF425BE82D717A63,SHA256=E96DCE7ED36C6D5875FA48125E2CEA43E2990E1358746A5CFCA31BC95E06F8E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:51.608{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59204-false10.0.1.12-8000- 23542300x800000000000000011143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:54.032{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD740E1ADB341FAAD0BD577B16D83CED,SHA256=4A044DBFD835FBE0AB56BD7B960079C74527CDDA6A9F32821D42120A762206AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:54.248{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=371F2F63D2075915472698B87D85F4D0,SHA256=6B1754D63F1638870CB14D7480C163A29C529B02BA4F2CBBF1BDEC4DAE1F7297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.836{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D4A317D43EEF84995FE1EFF819D154,SHA256=AE5824A97405B5F24A3154571A12C4730FA6071E619D00FFAAE81FD8C8AF5E55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.104{312A7A06-3346-63C5-1D00-00000000B002}19962540C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439150) 10341000x800000000000000011146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.104{312A7A06-3346-63C5-1D00-00000000B002}19962540C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439150) 10341000x800000000000000011145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.104{312A7A06-3346-63C5-1D00-00000000B002}19962540C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439150) 23542300x800000000000000011144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.016{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446E04CFC8B5346DCF72FA55196AF430,SHA256=5658B4992C64E43E0858CCD89F147441937CDF306597A5780647FFFE190C2514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8 10341000x800000000000000027525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8 10341000x800000000000000027521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517|C:\Windows\System32\mshtml.dll+117461 10341000x800000000000000027519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517|C:\Windows\System32\mshtml.dll+117461 10341000x800000000000000027518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438 10341000x800000000000000027516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6497|C:\Windows\System32\SHCORE.DLL+6387|C:\Windows\System32\SHCORE.DLL+62fd|C:\Windows\System32\SHCORE.DLL+620a|C:\Windows\System32\SHELL32.dll+d6b7a|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8 10341000x800000000000000027514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 23542300x800000000000000027530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:56.925{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC07541BB3E3B12BF82841E78D3ED4EA,SHA256=882FA8C7D509605E24BF9E20D6F4FC3A46E50378DB861903B156702FE5D2B988,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.941{312A7A06-36D8-63C5-7C01-00000000B002}26322768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.205{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.205{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.205{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000011161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.078{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6F187BF451D891EA4507B255DE100D,SHA256=17A50BC6A8E32F948DDC7BB0DE3A5B90453012BAD5A859761A124F3D0A4A847D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.048{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.665{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A5E2035533D27B8DBD113C292FC1EE2E,SHA256=E7670C7E2FCD3CC96727AA83501081B9AA073CAECD91A4B50CA9FBF3B5BAAE97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.371{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DF855EED734C5153060FE51CA91AE4,SHA256=7B1E59F436B4746535FF61763B7C36ECD7219F65932F623B67E85C0E50DDA9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:57.367{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.930{312A7A06-36DA-63C5-7E01-00000000B002}33683052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.790{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.476{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF7A75B254035B240C2EF3A2FCD61C6,SHA256=BAFB93719E20FD1B1C5829840C34B7F0F7F4DA389915FD98461A113107BC1B10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.843{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59205-false10.0.1.12-8089- 23542300x800000000000000027532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:58.025{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE88D193A7A9E47E7A2450DEDDCFFC6C,SHA256=07321D464C2D62B78EF361B2677E1B8B1783ABB4B25ED0A279AD49308FA90152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.367{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B360E3D4F67D8754C6A85AF5473734D8,SHA256=BF816C00979F2FC3E1D4660820517EA22FABB06F5DF409D4E6BEF8ED903D617B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:54.514{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49865-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.907{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8CA1735ABBB24AB8C08132199CFB13,SHA256=5FC61C1B93E0C1112D678EC072F3D3A85E62ABE490CFE7B8186E6BA1D3B960B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.829{312A7A06-36DB-63C5-7F01-00000000B002}32922764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.643{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.563{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19327FA8F5CCC88F09340B370BCB2471,SHA256=5CA203EFFA742BA10137CD9A869B746A5CFED80522747F71F461ADC5AD15B1CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:56.705{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59206-false10.0.1.12-8000- 23542300x800000000000000027534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:59.127{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E73ABF42857F1655E8C9AC0ED25015,SHA256=710D7A37D899781663D8A9B260194DF27B1DE6C53D70E134E62F9D5C4D6704CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:00.221{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F91743731C55573FC0E59491465C46B,SHA256=7D1F1661C910EDF2ECC384525AF149533458B83CF8C8EB27114E84E7A56A8250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.416{312A7A06-36DC-63C5-8001-00000000B002}10803804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.284{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.497{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.497{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.497{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.418{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.099{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEEFB3466E9C8844112D85465ED21A2,SHA256=164A40701B90317D258E2578654F1ECB340F42430AC07874F04B797D127390A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:58.241{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59207-false169.254.169.254-80http 23542300x800000000000000027537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:01.320{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F19CD38B81F991D3FE7D862D71D486,SHA256=6F87A59922F422B46DAF5368423356B83A59C048D3249E7CDEF4BBD9BC15DEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:02.149{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC7CAA7FBA9463EC89B1C23C71147C7,SHA256=42056C079729FB35DE06843D9A03F80DE4AAE88FE76C0F0485703CF32AD73968,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.770{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.764{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 23542300x800000000000000027558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.387{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD1A7EA55333DF5DC4CB97E2BDC23D8,SHA256=83FE70EBFC4013885422F0D3396AA21106195D9B294B44EB4A9C5A813FC464CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.346{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.335{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.329{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.327{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.325{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.323{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.291{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.285{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.272{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.265{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.224{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.214{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.204{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.197{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.188{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.128{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.120{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 23542300x800000000000000011259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:03.230{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08494E3B8D716231802F390979D038BA,SHA256=10B6A856F37731D6BC9303A27A34163BE90BECC9C16A62C6B8D7359368F3D83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:03.446{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25744F47E6B373E307F520C3BD66F8,SHA256=144DADF322835E151D23AF18AC29AD31807DBABA9FBC4F73F523E8BED0A8B6FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.806{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.805{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.800{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.797{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.795{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.788{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.570{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.554{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=2615CEB763846F8DFD72B910B7F259B1,SHA256=A3E8A5B5E6FBC831FBEA6D819B4A501EEB6013EBF54073DDC43836F8BCD9089C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.536{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BADB78ADACB3F06740D80C925F0F149,SHA256=057991608979CAF144ADF98C550554CF3941485DFF8AB866B515DDDE2EE6F875,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.518{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000027565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.506{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:04.301{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3BD3A818C420BD38264839F3A8C35C,SHA256=BFF5B6C4B9F1313914E366AFC82AB22A2BA760903856DD749FA3CAE5CB270F51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.520{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49866-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.427{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.412{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.412{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=2615CEB763846F8DFD72B910B7F259B1,SHA256=A3E8A5B5E6FBC831FBEA6D819B4A501EEB6013EBF54073DDC43836F8BCD9089C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.800{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D3010BBECC750A7EDB142B2673D9BB,SHA256=9DC30F4A4C52CDE763C60F2FF5E9A5DEC99CA81BBDB7D57F474EA58775F0245A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.800{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F74575FCB488D213D436EEBAFFEAFD06,SHA256=2EFEABC5D1F0ED4C87625C9F584DE9336587D3316967686846ABC8A79C2DA75E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.991{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59211-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000027600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.991{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59211-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000027599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.910{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59210-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.910{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59210-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.902{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59209-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.902{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59209-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.617{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59208-false10.0.1.12-8000- 23542300x800000000000000011262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:05.364{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3832C3A5F72788CE1AC273B47B0CCB04,SHA256=D997CC42C55D1E7CBA8F4C7CAC35D5444C44F5102F40780624DC801925CB559B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.432{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4951A7A1CBBA1EB571D0991003E29932,SHA256=4DD098EC59C495D4A765242F490F94A80C7CBEE928BBD6EC32EB0FD57B9D7F4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.425{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.418{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.402{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.399{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.367{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.360{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.342{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.340{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.337{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.335{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.334{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.331{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.327{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.326{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.324{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 23542300x800000000000000027604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:06.703{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8515AC131B2C314E0DBEC81C323B5F2C,SHA256=A114B97E2DBB94D9F6ABA424BE75A8A6BCBCEB45740F267CA64BD5B8488A1E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:06.445{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7A26B001E200D1473F1B46F5792A76,SHA256=5442A6E0DAA2D097C6755656520F08C40DF63563DDCAB2B8E28660FE62E06673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.800{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D80CB6F83DC176B6AB30AAD207000A,SHA256=026D2022F5898BE17401B32A675015EE59E4E8D03C88786BB45036258AFA1820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:07.940{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-014MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:07.524{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A7F0094A48BCC0118B14B11461C6E1,SHA256=6B20DE8317C1E3D73C850BB0E94BA359AE84BE6E8205BAB6D140793BB9F742B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:03.694{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:281e:18ed:f5ff:fef0win-host-ctus-attack-range-589546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x800000000000000027608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:08.979{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:08.979{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=D68C5A19358E1CBC980A7C2778252E44,SHA256=A5CF90880A6F9D95E3122D1E64735B8565977DB74CE72C2717C500238B8B8A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:08.901{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA33FC3AE12E48BF5BADDCD3DA964F97,SHA256=D3EA892583C5F84E72A8C486869E7B85A28410DD062E6FEFAC324172325ABAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:08.947{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-015MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:08.617{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EA558E0B284EBF5905A181CD10E491,SHA256=AE37D8A02A79F9E7464EB8FFA27CC52C1889092C98C63190D0AC5762025B6C66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:05.535{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49867-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:09.990{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38B82C2A1F7FF631FAC3C6A91333C67,SHA256=3DD2F888C4636578666D9DCDD790F9EC6E0300D4004398B02C082CA3D208CF7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.991{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.989{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.982{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.975{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.969{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.963{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.958{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.935{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.928{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.917{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.911{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.906{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.900{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.898{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.702{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28A0E275AB5507099F1C8E9010F2AFA,SHA256=6E5919C370391CDA586ECF4C2BB2E8FEE782C51242B4CF3B2A5A0F1112CCCC73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:09.121{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:09.121{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=D68C5A19358E1CBC980A7C2778252E44,SHA256=A5CF90880A6F9D95E3122D1E64735B8565977DB74CE72C2717C500238B8B8A9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:08.995{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.938{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CFD3D9012DF65D2196CD2D0F6D0D9A,SHA256=D8E3659E2EA5E06F7839C41EB5480979972DD5EAF5B3F99EADA9FB273CBB9EBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.681{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59214-false10.0.1.12-8000- 354300x800000000000000027616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.477{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59213-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.477{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59213-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.468{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59212-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.468{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59212-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 10341000x800000000000000011302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.046{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.042{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.040{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.039{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.036{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.033{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.032{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.031{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.030{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.027{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.025{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.023{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.022{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.020{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.015{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.013{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.008{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.002{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:11.970{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EF882F17ACA436B9032BDF83D7178B,SHA256=9B1103DB49096EDC91A40553EFA5A14B86D80F63E1AFFF9AC96FB69359776568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:11.075{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3085F5E56459CA9CEA3420ADD4F1D358,SHA256=BA2A02741812D032086D89C4B3CA5A57D9C619CD16FBABB9930B6D872CE0A66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.169{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49859B578F13C955C6A4A42CB2292A8C,SHA256=228AF66108B52AF1F35490D5B039407F0A1D84BE15E34F364AA2F14F1F496A37,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:10.236{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59215-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:10.236{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59215-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 10341000x800000000000000027625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.701{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.701{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=78658B6A446856051B3A2E71EFA07645,SHA256=0B317E57A721A6BB109CD578E61C0E2203936E7B48F72E11959F26F11FBD6F4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.560{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.560{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.545{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=78658B6A446856051B3A2E71EFA07645,SHA256=0B317E57A721A6BB109CD578E61C0E2203936E7B48F72E11959F26F11FBD6F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.264{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33FCD9853A0827E5AAF4C81DF08DFE3,SHA256=831D2D3145D19F7B0E2AFA1D5FCB55AAAFCC93C77AF1DBD7D3B0361AE75229D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.644{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49868-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:13.042{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA1A7ACA18DF70C524BF4DE1DBEA59B,SHA256=1D305DBF8C1ABAB33D344AC543163D482758569999EEF46C589B7A97C2AC445D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59217-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.047{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59217-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.039{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59216-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.039{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59216-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000027630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:14.713{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C268DEC9C4DF79C4068154D32953AD,SHA256=DF01A8B848DA6CCBC4404B5321A92452AD7B887533CC77E281E433B489929898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:14.604{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3F3D75B82D9B790C720605C9A16CDD45,SHA256=A487C971D0BE77023FA88E6542E30DD1F3F1C9E66A448B34F776751E960EF7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:14.352{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CAC864F96D6067A382EF54475AF68E,SHA256=FA3E26B8A50C05D2865E36EBA0ABE7A9D558535179D2CFCA6D11B912BACACCED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:14.132{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B35038FD5716DF04AB4219FAEA7CAA,SHA256=2037F296FE17E1BC6673EB20BDB99C6AACC492F5DF0808F7DE9717257DFF1054,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.732{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59218-false10.0.1.12-8000- 23542300x800000000000000027635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:15.447{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717905B58A23704264D09CB0C90B2BD2,SHA256=65426F8D05B82B307C49857F09C6DCA82712EE2C79891EEAF6F2546DAC66A062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:15.218{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A7B98E1BBDDDA00BB61A2186485B99,SHA256=4DDF1C55273F78A0471966CABB2BEC41EB7541D884985E1044E0A114E7735000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:16.542{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E2A4825FFFD408B147C3B4D94CB654,SHA256=5F697EA5477DEDA99807BB256EF08B809C967465BBC7788531A08841F6D4EE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:16.279{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3279E629033E6A7EEB19911CE05953,SHA256=211FD289C8ACE778234506F414CE7C62BAA4BD9A632CB04046234792638CB0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:17.385{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1206A6242132690B7AA173B12DCF055E,SHA256=2A92B87F05A2D20B39927206E34992492C248386B34237A2B1661F6A03ED8CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:17.643{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DE11E8C0C3570F3768BD4EB7AAEEA1,SHA256=6DFDBE497B8838DA41BDFF623FAABB3B56D796BDCEF404424C182394C88AE7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.723{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6074ABB11276A13135781BF5213371F7,SHA256=98719E7D62C3A4DFDCCF17BFBDDB76F560D868AB35EFA9A3161B1FD481B749ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:18.694{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:18.479{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13CF22FCB696AA3568124C78F9B27ADA,SHA256=31871F2C76E89AEEC8A972DCADC8A590259B18BEFFF59D38193C6D25BB44BB25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.161{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.161{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=E5C3BFF0595167BE171D963FF86E205A,SHA256=B84A07A720089EF6F48BD12C5F6547E9C8CF1FBB6D674EC6F12403A0C38A874D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.034{FCCA13C7-30EC-63C5-0B00-00000000AF02}6282324C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.018{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.018{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=E5C3BFF0595167BE171D963FF86E205A,SHA256=B84A07A720089EF6F48BD12C5F6547E9C8CF1FBB6D674EC6F12403A0C38A874D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:16.512{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59220-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:16.512{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59220-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:16.503{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59219-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:16.503{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59219-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000027645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:19.827{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415124556A1FFE1814E24E21D0EF44A0,SHA256=D5195D3DA4106364CA3B63C2E4E4408DF6A666BB5C7598758787461AA754032B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:16.596{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49869-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:19.578{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F37D0D6E472FF1E8FAD2260985C0655,SHA256=4139506BE2196C4CFAEFA703DA601539061EB3146EC6E62FECCE6FADA18F5C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:20.942{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E793DB03AD32000BE50D386EAC7A1D,SHA256=53FB397280CAAE033CD23D14426DBA0BFE12EAF8F2B9B0071A769EF56F4F6A02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:17.077{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49870-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000011315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:20.676{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64FC40B0EBA161152FDC960B383927A,SHA256=A1B6BE34169E2F51395951E96522F76B60D424D25CCD917766A5BD79E1D87E24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:21.980{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:21.980{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:21.743{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A24069A90E8A35BCB1B2A699A4660D5,SHA256=547FD0C79F80C88A38E3AEB6EC2151A12EBBD052BA85F37F5A6B2942D1C73378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:22.813{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17583776AF96079CE6D20160A7DCE602,SHA256=5DF31AAD0A29FCFB77C145302F77430AC32B90190B09DCF34108A09733271E5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.679{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.674{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.350{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.340{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.330{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.326{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.324{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.321{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.281{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.271{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.255{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.241{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.210{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.202{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.186{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.152{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.108{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.105{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000027654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.046{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C08BD2FBB145243E9AD29419F70AFF,SHA256=40320DE72BF3F36E4716F1FFC7511881B1AFF4A21C96F993CA2AC8E867F58316,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.647{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59221-false10.0.1.12-8000- 23542300x800000000000000011319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:23.884{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9D2B71160451467068AB130E2EE554,SHA256=2F0B3D49189DD6DCB9035BA1326EAF7C659129D598C613D74823C5F1CECBC0C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F3-63C5-4F05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-36F3-63C5-4F05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F3-63C5-4F05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.548{FCCA13C7-36F3-63C5-4F05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.085{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245E1B900CF040A040D1986747BF3322,SHA256=DB2FAE570D49745A5CC1B88C04F90D60E2512FC8B886A57D9C51F58267FD6EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:24.959{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61EF3F4A0800D4B180A7132137F70AE,SHA256=E4DA2A030FBAD6B1C2360CA339B567D406A09A0B39F4446FEA0B1963639AAD58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F4-63C5-5105-00000000AF02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36F4-63C5-5105-00000000AF02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F4-63C5-5105-00000000AF02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-36F4-63C5-5105-00000000AF02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.840{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.840{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.840{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.732{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.731{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.728{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.726{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.724{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.718{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000027703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.495{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7E79668CB70C5DF98B4309FE6229DBCE,SHA256=FE6C135ED8E04CE6DB30B1DE1BA66904CC48D899CC7701A24053FAA4B930426F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.411{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F2D38E4BBB21CC605A35FD666E125737,SHA256=CF0EBDD24E08DC04EC7F3C0393F58D4927EDD1B7E8DEB783023A3620BBB99343,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.361{FCCA13C7-36F4-63C5-5005-00000000AF02}31165428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:20.456{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59222-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 354300x800000000000000027699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:20.456{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59222-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 10341000x800000000000000027698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F4-63C5-5005-00000000AF02}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-36F4-63C5-5005-00000000AF02}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F4-63C5-5005-00000000AF02}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.193{FCCA13C7-36F4-63C5-5005-00000000AF02}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.176{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD9AE3E3A20F638EF2107273CCBA29C,SHA256=7D1A30CC6568B807973B9EFD184A17CDA9C1A607A23A91E73B063BE3FE2E18F9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000027689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:37:24.018{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6335A056-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML 13241300x800000000000000027688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:37:24.002{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F283BD66-5E50-484D-ADBD-4AC94CBA68D3\Config SourceDWORD (0x00000001) 13241300x800000000000000027687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:37:24.002{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F283BD66-5E50-484D-ADBD-4AC94CBA68D3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_F283BD66-5E50-484D-ADBD-4AC94CBA68D3.XML 10341000x800000000000000027686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.002{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.002{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.737{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.726{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.717{FCCA13C7-36F5-63C5-5205-00000000AF02}37286600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.706{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.703{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.674{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.667{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.667{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.663{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.663{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.652{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.646{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000027739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.646{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEAD6006BF9EE1708FC7CE73B3D5D1F,SHA256=8B4B2CFD4D4D5E46078A7F12B0233CBDE535A7DF178BF8EAD53000C7D3D5F248,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.645{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F5-63C5-5205-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-36F5-63C5-5205-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F5-63C5-5205-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.533{FCCA13C7-36F5-63C5-5205-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.255{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.253{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.252{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.249{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.245{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.244{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.243{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.242{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 354300x800000000000000011321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:22.567{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49871-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.814{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E559ECA8103E45926E7F36A4345D66,SHA256=DFAD8013845BC0C6782B52B49E9EE50623B354F0C89D2F87D8D80569EB0B9CBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.534{FCCA13C7-36F6-63C5-5305-00000000AF02}70004916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.494{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000027763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.494{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000027762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.494{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 354300x800000000000000027761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.314{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59223-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.314{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59223-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 10341000x800000000000000027759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:26.032{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150EBF1445E09DB469B5FCA1E098D049,SHA256=646B2138E8AECEBD9D150773B9419B6BDF2C801C27D2C0A5F176E40663C610DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.953{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1E09AE89D353E71C5E96A5ACB7220F,SHA256=D980DBEDCA7A74298B13E5EB66568139B456178D708E35FDA013233073F05871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:27.841{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5A344358FF280AE92E7E21DE8BB1A8EA,SHA256=C0642FF4A6C2AED07D682052E1EFD48E86D6FFB5B9524CF224C4A7184C999F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:27.123{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9E646AFDAA996D982892D2380969B4,SHA256=9B069B1A0F6AE8145073EAC7B247EDDDF921B8A871F97920792F2E7EE841FCB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.206{FCCA13C7-36F7-63C5-5405-00000000AF02}67844400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.134{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59224-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.134{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59224-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 10341000x800000000000000027774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F7-63C5-5405-00000000AF02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-36F7-63C5-5405-00000000AF02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F7-63C5-5405-00000000AF02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-36F7-63C5-5405-00000000AF02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:28.199{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2886C4C4778642AFBA828B56EFF825A4,SHA256=B28AD30C7DFF15252A26B8472AB84A7818A8779CB74B262B94D90D68AE157FE7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000027780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:37:28.424{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9299e-0xe9900687) 354300x800000000000000027779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.594{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59225-false10.0.1.12-8000- 10341000x800000000000000011338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.994{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.987{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.980{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.970{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.961{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.936{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.931{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.924{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.914{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.908{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.902{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.899{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.278{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47AE543BDD9F911D4CA20200CC0B946,SHA256=3635FEF8371B37778776E92B8017B8028C040A4E50FE80DD4B8A8782321F1C8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F9-63C5-5505-00000000AF02}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BA30C2AF6538AEB36405CEB10B263D,SHA256=A1B975F6EBB56DADE96B2053F312E69DF172E0DEB5443DDB6E9F0BDF31A85C67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-36F9-63C5-5505-00000000AF02}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F9-63C5-5505-00000000AF02}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.051{FCCA13C7-36F9-63C5-5505-00000000AF02}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.382{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC75094F21B01A105E649A076E61627,SHA256=0808B68B5ACB544C7241064D70072D1A5EF01FC4A2BB2BEB50A8CECAFC3C2DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:30.160{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6931E84AF4B47A7F3D8882A284F539D,SHA256=633DE7D9F07ECD1F90D451BA64F2E9C79D6BE9C20FCDCF8D085D0BDE10EA2F35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.070{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.068{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.065{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.064{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.061{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.059{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.058{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.057{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.056{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.054{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.053{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.051{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.048{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.041{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.040{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.030{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.023{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.009{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.007{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 354300x800000000000000011360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:28.429{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49872-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:31.653{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863C6363B3AC8DC4F693E4DA1EB22DC2,SHA256=77F58B4C61FB2D27C4D7381F8731773D3C389D6A8EFB80F6D928A3D43272F4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:31.252{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDE17E9243CEB168C4BF3CE2334777A,SHA256=AE98F3483C05920BD7C9D4568F9EB20CD2488C8E7CF9B853A5E88DFBC09AFA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:32.737{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C0BC39FC26B84FF241F8C0D322C566,SHA256=F365814D89529BA0E8CA1D326B5A5E0058AF29EAF908789BA0EF245FE8AD7BAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.647{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59226-false10.0.1.12-8000- 23542300x800000000000000027792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:32.331{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7674F1E102971631D5A558E986A6BCEA,SHA256=BE6500636E965CC3A025FB2DD9E48AC7563E8EF9B40A70392A6B116F5E8E9DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:33.820{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F9C2F4B83F9BB240A9762513EE6A1C,SHA256=8B8AC7FA663469DA76B0E254F7C79B85025F7865967EEB7B8E42C369F339E15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:33.425{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6A13341D505D87807118D55338AB1E,SHA256=662A0C70881847140834B1B481D1CA4BBDB808EBCD7837BB2D6824BC8E2B3108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:34.899{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526F5AD00BD3DB53D78B70D81C5D8548,SHA256=72DD65C70E04EAD4CB4FA2F32C663547A17C44A2806083663E8859281EFFE8D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:34.517{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD246B68E3688981E8D2136799FD2C5B,SHA256=1F1E854821AD1B11C7EA443D1DFB49B6C58293920975F5DF64B9CE9412A36280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:35.985{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277BCB3419C06A365614CE79EA17B8B5,SHA256=B568E7FA45BB2E8A18038088ED29CA4E4E4C5B91519DDE9E907E77F207DB9FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:35.611{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFE7A03A6353D4056137531C572D2C6,SHA256=62F2B4F0FC03B0B151071FC5F674CC68838916AE3C777FD1D561DD53257A315E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:36.703{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73321B030C9BBDD2010D4772A4749643,SHA256=7A69C88800306BAE67A934B24FB6982A03D3F2724FEF6EB70076429008EB26F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:36.344{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-024MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:37.782{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51235F99D9B72E5B7A7294EAC030E3E6,SHA256=2DEA9A684C06350818E90CF79E715AD2A2CA05763113B59091C3E3DC2B2028AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:37.057{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB6FC08696B2BFEC602FCEB50B23C8E,SHA256=9D32B0B6C8C4FC3160B1762A144152A1554063C0E757AB8A1F616EF84225A8EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:33.587{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49873-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:37.346{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:38.881{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633A6D9146AF191710BE58DF22CFDED3,SHA256=0A9590CDF356FDE2475A0C2BB80B5D0A45625872AFDB431EFD749B73C74C60AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:38.140{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC528F49B04BEE07A5FFABEC9473041,SHA256=B9C5BFA5D3E46D55E44A7540E05083D40979C326A1B94B58E51924289D3FBCE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:35.519{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59227-false10.0.1.12-8000- 23542300x800000000000000027803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:39.983{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F0E5129899D28C3217E6151FB07208,SHA256=769C27F671558D49FBBE917861AB4D4DEDEE23061CEC161D6AFC6D198E004E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:39.236{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E67DBA8672612649F24C1B1BC19ECC,SHA256=66FB25128CED38FA4B549CEF9FBDB539B28B6DC1CE76E6CBACC2BC08007F555D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:40.307{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AA44E2B2788BBF6E8345A1981B00FE,SHA256=0642CD2B15D2FB3C072B98936D97F6986B1E6D95A20E021F9C0B0A31B222BA34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:41.388{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F230C82FBCB24E175ABBC803D45187ED,SHA256=3B24BB7B0208E0D208C1B68367C575BCA06E56616FF8C6C086F52820DEEDF6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:41.097{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C008B47FD8609FE5272D991A041B0D,SHA256=0416794A4D531611081FD7EBBEC1DE6BB250F64BA6D3D086159773B1206D608E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:42.468{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228648ADA5A8C81D005A9420BFC45017,SHA256=15DEE780836E325885F532313D63B11C70292A5381A2A01151E971CFD85E2242,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.625{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.620{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.273{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.267{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.265{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.263{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.261{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.233{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.228{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.215{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.208{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.203{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000027813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.179{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771E1EFEDCFC4B95C3AD33170A55DF9B,SHA256=FE60A48D56EF4E3683B8A03512ED155F46D6BEBC4025B83A33D7BF0E9B42891D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.177{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.159{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.153{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.144{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.137{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.104{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.101{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000011374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:43.711{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1E3FF9B21CEFD5640A170A6FFF06DDF6,SHA256=5BB2BAE9231678B2A6D59AD933D0362B754E8F4A31FC573A899742773D1A7822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:43.538{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03675CCF58E5B34182A693EEC082AD4F,SHA256=56688F50987BF323FB459F892AD15DA3D5A3BEA33702B8AA0770BA5BABF0DC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:43.886{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6F6E05C772002D47ABE127F5CC7E421F,SHA256=0E2BA50EA29D877A88272F1F642F528AB5D555F48852828AD8AC42134FFBF895,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:40.574{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59228-false10.0.1.12-8000- 23542300x800000000000000027827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:43.123{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE59B9388ACF9078F4FA3C1FD5EEA67,SHA256=56B4831A0E46EB442CA27895E0CC50F7DE3E8D822DBC987EF71E911CEDA0D3A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:39.596{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49874-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:44.616{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7A259ADBEE523327FADBFDC1D16D0C,SHA256=E57A116F70ADF27B151CF719E087BFA0DE6F0B97B9D8C574E126884F76FD4D4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.677{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.675{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.672{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.670{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.669{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.663{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000027830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.218{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F67F24B5BCD8047722E1744DA52D6A,SHA256=C1880B473585AD00C96A5142F4B504FDE8DBE6984526F2063DABF3ABDE2A292B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:45.707{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3DB7290BCCF26C0441BBEB49A94E27,SHA256=3F6D509E40001C4285CFDECD09DA6B03A7345CBFA63408E864571EB155DBAE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.303{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D12FFC9392BED20E816009771E5679F,SHA256=F46B3DD451E27CFD603B3A958DE3539ECC960E20A0EBA211DB2326485FD9433D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.276{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.267{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.252{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.250{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.225{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.218{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.204{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.199{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.197{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.194{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.192{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.191{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.187{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.184{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.179{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000011379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:46.816{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B271B14CE216A14E8B3000CBAE3AD03F,SHA256=C279A80ED275C1BCEBFF326A196CE8F4483F3845FE22DA8027098BAC90E1AF56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:46.717{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:46.279{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DC7A3E611AF5B343ED1152C874AD58,SHA256=EEC8FF7958D30380C670F039163353DEE5F62FB9D168FF757D58570AD4642F59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:46.313{312A7A06-3345-63C5-0D00-00000000B002}7763696C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:46.313{312A7A06-3345-63C5-0D00-00000000B002}7763696C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:47.897{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AFC94FCF9AC6F151F8364C99B3E41D,SHA256=C625B2C16F98D74017F23CB3E5827A7EB2EDAA82785F9C241DF6EB3C173B30CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:47.706{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:47.706{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:47.706{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:47.375{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AE42D8F644999215B9E8B4A10C2A61,SHA256=EE3256CAAB0BEFBBED4D451E4FB88409A2F797AD264B56E6BF04F636A3A81CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:48.996{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FA4173FAE2C3D71DAFBD3CF9334F15,SHA256=69A9C7A565D629D34EC7C028BB8007C2CAEAD24FC621C44F5DA36EB009B323C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.706{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59229-false10.0.1.12-8000- 23542300x800000000000000027862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:48.474{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDA91C39396EBD7EC839C0552D78F76,SHA256=26238F29E435BE790F903931EC5CC43E7A3BABC6FB0C60FDC9145E4F5F02747B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:45.534{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49875-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:49.671{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=60A131E5DB1C92CE2F8BF077C5AED69B,SHA256=AA1957FA52978B070FFE928C39171F67887717A5056441BD5B4AA1FF531960F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:49.569{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31ACA72A236CEC274426BF9B6FE5CAB,SHA256=FD7290F75F0D238661433AE15D0D7DCF1182E9AE62795A7FE841D3F37BD5B2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:49.569{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=534DDA57E01275F16FF8B80DF6518716,SHA256=CDB171E63AF651AB9DDA64B0442910BB62B81F87BE4303279DC5DB025CB141FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.988{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.982{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.961{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000011386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.938{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000011385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.925{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000011384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.916{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000011383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.914{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000027867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:50.654{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40FB8351CB055453DBAA4BE01C2E6840,SHA256=800FEABA24CF6A064373D41BCDD0E38F33CFBA315394917205591FFD532C1F5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.112{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.099{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.097{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.096{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.093{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.091{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.090{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.089{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.089{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.087{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.086{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.084{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.082{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 23542300x800000000000000011401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.076{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF297B0256666182C924CD65A36123D9,SHA256=78AB3D40429893B73F228D0A48D74D571C04DE15D90F66D679856A2BCC38CEE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.076{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.073{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.068{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.061{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.049{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.048{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.039{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.033{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.024{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.018{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.013{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 23542300x800000000000000027868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:51.734{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1777ED7816479B895D31321D53FECBFA,SHA256=3EC1211B0B3809D57E7203E49163B94B4F9DC2BADB2575E7C820E5E01E9197A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:51.031{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5182362178C481ADB055AE1CFB2AD388,SHA256=4BB3C025A97F7DBDC7104F527590985852450889F9D4935C71453D67A25CEA92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:52.836{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2430A0C413874AB06BF175E01A3892E4,SHA256=08177B32A12373D93219F4409386087E542697D010BF8C43CEAC83BC85826DE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:52.886{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:52.137{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3644BF0D205058C1A8F2A1E5653A33CD,SHA256=04C832566B3A1C14CB1EAE5348864EFD3AF68518C43D671750713A3FD8DD274D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:53.913{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142E127422FC3D2ECD4228D6AE1D879A,SHA256=791BB32A9A52EE14082E5567F5C6C30885570372BB6F7B6D9A060E2A2979613A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:53.191{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55E7ECFC1BC4DB32B3BF9A7E76D02B9,SHA256=C944BF85230725DAE00C509D5456A090DC30D8C06F259DF9EC4C854DC2CDABF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:54.268{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68E23906A85466F42D28143CF8CB679,SHA256=7556C8C22CB6ED9CD22FC7FA672419C9222AC781C8DF560C503DCAAD9D9C139C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:54.559{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FB8179CB9297C32D74E56BAE91A70268,SHA256=7C5CB801AFC037EDC95ADAA286A85CFD6572ABB2A86C57CE851D6C80AE5E34E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:51.552{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49876-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:55.350{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FC9916C1B75C9D46834723E930478B,SHA256=7C311B135CC69CF7B5C39D3F164A0D3B3E20B0FC099D7E92D55186F589A6CA91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:51.622{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59230-false10.0.1.12-8000- 23542300x800000000000000027872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:55.010{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7855D5ABB8EBCAFEC17A6C2694221C3D,SHA256=0F26406B49CE1F4384B5114DC9A66E0C1688FC8F3A966B99CFBFA9B8613580FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.867{312A7A06-3714-63C5-8301-00000000B002}34363876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.757{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=31A0C6D2AC47FC5AD6CB5B585DE747C0,SHA256=5761CD4873ECD943A6756582D31960E9D3DFE1DA3ACF5AB2510D5D914A397B11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3714-63C5-8301-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3714-63C5-8301-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3714-63C5-8301-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.706{312A7A06-3714-63C5-8301-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.440{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827EF879B3E5336BD7B9E38E9E7E653D,SHA256=13C3283AD9746B33291CC28C5B373FDC2526E68CA0EA9A0A1B4D3429F15EE10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:56.109{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EF796402AABB77BF335DD7C19FA8BA,SHA256=692724F4064209FC2DA9EB1F75EF998C946B21946332EDB18C6A876BA1775124,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3714-63C5-8201-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3714-63C5-8201-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3714-63C5-8201-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.066{312A7A06-3714-63C5-8201-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.674{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAA5322097FCE99FCDCB3532644DDAF,SHA256=6F853F68AA7DD13B6ACE2C35A96F449AD2CE0CD97B11A3475C45B876A5BB7DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:57.398{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:57.210{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733DB3BEA096061247F50C731C59A2A5,SHA256=963BD300FB9EDD5C65D5FA2B07FAB28152C3632AEF9B663F8D5CFF39417A9917,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3715-63C5-8401-00000000B002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3715-63C5-8401-00000000B002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3715-63C5-8401-00000000B002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3715-63C5-8401-00000000B002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.186{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D93FF5A00C0384E5DBBFD264F136B056,SHA256=483B3E07DD11E531C4314408DC617BFA664F9B329CBAE823179C416C0EC62B53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.948{312A7A06-3716-63C5-8501-00000000B002}32443240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.823{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5D308897FE1C98DB2227C903C092A6,SHA256=2C0375A4A658DC79FCE8DD092DD6AD55AEEAA67B45505B14D788215B831725CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3716-63C5-8501-00000000B002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3716-63C5-8501-00000000B002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3716-63C5-8501-00000000B002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.808{312A7A06-3716-63C5-8501-00000000B002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:55.854{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59231-false10.0.1.12-8089- 23542300x800000000000000027877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:58.303{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E32049FEB645C9320FEEB54FFE1A5E4,SHA256=46F39334DAD65751A28C6755C9934CCF895423C30D094699BFCA496476932E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.035{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=274B24C9B82BABC2E66896F221EA035C,SHA256=38E52B91319DCF4A895A07850A13A9E1E5AC0FEF42FE9D0541A0A439757B368D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.968{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AFDC535CB3DD593F17C85179F46B3C,SHA256=0B86D849E0F3A24921A739B884B09B77B833CCC4BAF1B19100A243E881DCDD96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.841{312A7A06-3717-63C5-8601-00000000B002}22723964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:59.397{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83649CC1F7742275113223963DB94EFE,SHA256=62458CABEC6FF6135F215DA94DB28A76F047A9923E6115FAED950B9972A4E701,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.749{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.749{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.749{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.904{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD414FCD87F407C9570E9D7E2C8AEEAA,SHA256=C377B97E22293A6B1F6604873EAE2B72247D3A037421F59DBE25F0C09F32E952,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.498{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49877-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:00.484{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC60C7FC8437B911D36F89CDB8D6A358,SHA256=32E958D6A95708184211E88B8C92C3CFD6061C8C4FE0EA552414C42637DD0AB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.456{312A7A06-3718-63C5-8701-00000000B002}224136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3718-63C5-8701-00000000B002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3718-63C5-8701-00000000B002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3718-63C5-8701-00000000B002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.309{312A7A06-3718-63C5-8701-00000000B002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.979{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E4239B174A428B3D6F98956EEB75C1,SHA256=B22AAE68D72556854B3E3653414B71128F9CE6DCEA23D71B225AC6402B49AC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:01.575{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC8488D6E52119F1AD75D110C4989EC,SHA256=88FA71C18EFFB03BD589D23F16326184FA85D721F3721DB49AB31073BD402572,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3719-63C5-8801-00000000B002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3719-63C5-8801-00000000B002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3719-63C5-8801-00000000B002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.436{312A7A06-3719-63C5-8801-00000000B002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:57.506{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59232-false10.0.1.12-8000- 10341000x800000000000000027904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.744{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.737{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000027902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.631{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836406FFA423D350EBE1320EA8394872,SHA256=B93F3A5E4D405ECEFACE816DB12FC9B6B49B182CA5D11400C158E083119A4664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:02.588{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFEFB5A575FC7F8A098BF3B289C9084E,SHA256=920D07C85D9D1029DBE2BEE1DA21E8477AA39046F3FF209F6908EF941E4C1FEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.366{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.354{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.342{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.309{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.303{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.289{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.277{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.242{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.233{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.222{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.214{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.201{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.190{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.108{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000027883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.105{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000027905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:03.714{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7293E5897DD6710311014D93A4A58D76,SHA256=D97892DC24B099703EA7092CBD69212480F71A7A19D6E317430DE520B3A0FF4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:03.049{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4302554315725FDD95D4E12237CECD8C,SHA256=29952CB66D0D3312C0B1F47071AAD678C2632E3954D0F1FF0ED64E1E8CE9AB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.803{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A2D035973D01B2300A8E920B1EC31A,SHA256=DD76E24A95CDA6A7D7A0FC3BAA485F05B2DF28A5FC1504E17A80BAB4F40A9F2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.778{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.777{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.772{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.770{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.769{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.763{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000011532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:04.143{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9A2EBA2DFB4C57C93BDC815095A279,SHA256=971E89031B46EF3A672ECC285F84753A4E72A080DB2BA37050D6A630C4CCC1F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.524{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.524{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.524{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.510{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.865{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EE1BF6EF517369933BB4DD630B9CAD,SHA256=6A51EA3374DC65314AB3DFB319BCF27E96B03D68D079E7EE2460D6C259D27A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:05.243{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3500FB952971CCF7C1E07B78F8FAADEA,SHA256=5C3435C92A8366849F471F998C0A7BBBC607C576EFA3876CF71A33062B4B9EA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.414{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.406{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.390{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.388{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.353{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.340{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.323{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.318{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.317{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.314{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.311{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.310{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.305{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.301{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.299{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.297{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.296{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.293{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000027937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:06.953{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BFE43FBDF6FE065D21259AD93A6483,SHA256=09454ED83BFEC789AE3AFF05D9EEED885F5E423E2F23A095B4A12FF3ACDAFC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:06.330{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8376EF9680F72B52D594D0F261671138,SHA256=379A2F9B7151A36DD6545BB7B335490D2F102D77578298BD30B997FCC06646E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.577{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59233-false10.0.1.12-8000- 23542300x800000000000000011536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:07.423{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12413BA17695EBBF806AF6726B54411E,SHA256=3E65E9157475F0A5D6A4478EFA9A096978A4A8453FFB58185A1A520F6FA4E45B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:03.404{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49878-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:08.509{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5308A54C2FC70C73F1C509FFC8547FC,SHA256=03EFC598A33AB1AAF01859057F2D6259CC4080B6D821918B1B3FC6EC0BCE4BC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.769{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.769{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=C72A6283B39580EC550F967F1E59D763,SHA256=742889C6B072C88C3FDD5A7965060BCEA4DEFBE8029EF650DFCBB71C4284BBB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.738{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000027941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.628{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.628{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.613{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=C72A6283B39580EC550F967F1E59D763,SHA256=742889C6B072C88C3FDD5A7965060BCEA4DEFBE8029EF650DFCBB71C4284BBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.144{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9803CA3A6B144BB5742D3E5A338A65A9,SHA256=E08F4E5FE780E593084482C3385C53040D685E1637B894552CE7C0AEABD65BFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.997{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.988{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.961{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.955{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.948{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.941{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.935{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.925{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.922{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.601{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B0A36B2B727B9B9D5E79CC2BDE6DCA,SHA256=6BD8ED3AEB4D2AE434E7F6BD97E12CD9F5CFA720092E21F6A24DE5E0CA4B5AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:09.779{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E486B619D526A682B0E3FE9FF18A5FF4,SHA256=2DC5370C38DA458865A62BAE0CBEB8A9D9353A2E9ECEC50D60C29D02280570F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:09.748{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B4F6F7AB2858B6A384E7C17862E988C1,SHA256=313213A3F57EA8DBF4498D4D73CBF2AB163A9CA34A7833C604025D2AA22CA45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:09.231{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921D8B74B381A026C08ABB78659345E3,SHA256=42B5A95BC6760CA8E715F6ADAA804C2AABF476534B4BBC1CC47F17F8A4895F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.489{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-015MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:10.319{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C5C2F78C4D4CFFD053716DAAEE223F,SHA256=125A32E6242FCC5EA1F456588D768E583C2867AC6B34845D3F9CCDD04C4926F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.212{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59236-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000027953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.212{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59236-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000027952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.110{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59235-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.110{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59235-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.102{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59234-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.102{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59234-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000011571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.488{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.099{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.097{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.095{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.094{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.091{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.083{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.083{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.080{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.080{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.077{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.074{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.070{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.064{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.060{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.052{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.045{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.032{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.031{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.024{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.014{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.008{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000027948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:10.037{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CDF34554CF947DF68B97A2A21BE20446,SHA256=34DAD8A9D88FCB3E8B246F3FE6A3F53DAB6351DA62C65B9F04B58DB24C029FBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:08.489{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49879-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:11.117{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD331B01ADF607BF4A6271313A7FC633,SHA256=AB5E9FF257B76F648D496A15FB9AF39425223A4C827925E8F5FB8CE854401DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:11.417{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F536A5348A72FD0F512483B0902BBC7D,SHA256=1A7B63204468125BEA8558C168695ABA4C2F012C89D4448EF88318342D781602,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.671{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59237-false10.0.1.12-8000- 23542300x800000000000000027958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:12.383{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85B7D02F7D6FEDA9A42EF4D48660CFF,SHA256=E038D94C22C56629C430E4F4685B4C1C61EB9E65296FF088E1EAE0A445F24D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:12.424{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C435EB470AAEACB659DB9E17E18CCCC,SHA256=0C30F26FBB23AECF0A528135DEE4025C8547E55A3C1962E63DB16AE0E93FFD39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:13.476{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67E804C1A214441A11F756A5210616D,SHA256=F16C8912FB28C155170154C0F6ADE7FD6EAAD10451D47F054F19AFE3BB4F2DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:13.509{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FF5BFA0A6D84C20035CEE9D5962137,SHA256=83DB80857178BAFBCA015FBEB245D1BDDE8818B66CFC9209DC089965FA654129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:14.594{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FFC35FE23D1055979D030CDA62405E,SHA256=8AEC8FFBE0B661CDA3FA6A6954FF87797BD1BB4B4047B64BA64F9F4DB59E028A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:14.560{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB0C4499C7F0AA1B8F7F2CB596C3F7D,SHA256=70C98CA0EECA6B7A6A704B0F3C9C1BD37616FEA16DDFEA3819205903442327AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:10.263{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59238-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:10.263{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59238-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000011577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:15.677{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54AC7E405368F72EB4CA998062A8CD11,SHA256=28A2EC095B8A3307757C92682F793838600C5FEA09A5E060B297012B6BCBC80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:15.641{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6511C9A3771C3EE5D2DDE7BC0CD77987,SHA256=AEC31197A50805E697E876AFD514776FDDC1C671E0B8FB27D4E1A9C89B3B4F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:16.756{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9331D9D26A9C6EB8B913BAB886A85DA,SHA256=B95AF3131D031348D60547C3F756948491B545FF5617DEE83789E4714C6772EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:16.723{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01D378F271D2457FCDCCBD7CB657FD7,SHA256=4823626CC4E27AE241E8D6ACA20827AE54417A7125AE3DFA46779BFC60383258,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:13.545{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59239-false10.0.1.12-8000- 23542300x800000000000000011580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:17.839{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B1D4258AA34BDE57C95A30A587519A,SHA256=F4559DF744ED29D930D41380109AA8B280041BB902C08746B40614E6C5595C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:17.918{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0B4F41A3BC9CC149867F1EF0C57FC0,SHA256=3E911DFF6E160FB3311C5128E6EA8BE656B6047FCA0F92EF151D66DB8740F3E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:13.634{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49880-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:18.927{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE71927BA71EB9D201676BE6BFE82379,SHA256=2F61171671B2F695407800872813E21E02047F638E64E8804293589440B96E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:18.731{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.776{FCCA13C7-30EC-63C5-0B00-00000000AF02}6282324C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.776{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=A45950EC20D2406D9CC88E73F5992761,SHA256=D3B46309F51B6D99C3E09A5954C3D475C9508F7CE7834DE16B6C1B90271DA774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.635{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.619{FCCA13C7-30EC-63C5-0B00-00000000AF02}6282324C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.619{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=A45950EC20D2406D9CC88E73F5992761,SHA256=D3B46309F51B6D99C3E09A5954C3D475C9508F7CE7834DE16B6C1B90271DA774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:19.768{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2492D2AF43CFD29B98488B0A721507CD,SHA256=8BA03D8806CA1313E58CBAD89B3D998DAB0C90AD81FCF3B42ACA27BFFC29F2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:19.658{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=531FC618A70C8B4575787B9648981794,SHA256=DCCF7E44AEB5BC22921051025C75012A13D8D0F627F86DF5487B910AEF153276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:19.011{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3752BF1D86800091686B96C142B56B,SHA256=31996028BDD58103C2F758A12B05700513A732D17B2B1CB4E6FD6406CAF54332,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:17.101{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49881-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000011583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:20.005{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A25EB4CC7BC384F2DB43BF944A32F4,SHA256=142A25C0B31ECD9B18DBEE5EC34DA2EB4B41FEC00D94A5A0DAEB7BEB1272F294,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:17.109{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59241-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:17.109{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59241-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:17.100{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59240-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:17.100{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59240-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000027975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:20.097{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA3ADB04CD18DAF0832A348CDF29359,SHA256=F0DE439A8EA998004553F0FEAA866334CDEFD5683E7DAC3499A1807C701246C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:21.073{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6629D6E290E302BDC6D2F6931352AABF,SHA256=EA36C0F2F4A38C2B6D6B0215B4256ABAE63790524E9BE3E18D5A2D2A1FF87286,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.614{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59242-false10.0.1.12-8000- 23542300x800000000000000027980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:21.195{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7F11BF7BBF2371F9C923115CF2466B,SHA256=EF18BCD2A8DDFDEA8DA0D662BB5CC1C8C47288C5319C5FECA26C10A02A23018D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:22.141{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3C0ACD48B44F474AF0FC8AAA464196,SHA256=DA7BD176F02E4AA1B80D9A714AD78D60134E98303F46D6546C679ACE5765CD43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.761{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.753{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.331{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.320{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.313{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.310{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.308{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.306{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.274{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000027993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.264{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2168888F322940AD0D00832B210DDF9,SHA256=D96E20AF766A7800C7577E1A9CFCF1D74826CE7DBFACA0FC969100148CB59997,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.253{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.211{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.203{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.188{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.171{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.116{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.111{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000011588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:23.211{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54DD00A2B3D2F4CB4E0EAD29BBA17BEE,SHA256=40F791C34566ED582EC0ECF4E65DC38E470E6EC5D1A4361FD4DF4A43E5D75776,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.705{FCCA13C7-372F-63C5-5605-00000000AF02}21163320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-372F-63C5-5605-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-372F-63C5-5605-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-372F-63C5-5605-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.566{FCCA13C7-372F-63C5-5605-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.323{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3ABE64940148733CE47E9E1089AF1AF,SHA256=FEDA4986AB92454243CFA0894EC7BD0F5981A99295DDE42307BA0AD0F5F93294,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:19.587{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49882-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:24.300{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B421F19A2DCC8C5FFB336B90CA865B,SHA256=C93F807E12E48A6E13E1B227774322674F67E1A0A9FE3C8D1C14CCAA4281A4E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3730-63C5-5805-00000000AF02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3730-63C5-5805-00000000AF02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3730-63C5-5805-00000000AF02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.861{FCCA13C7-3730-63C5-5805-00000000AF02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.814{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.813{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.810{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.808{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.807{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.802{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000028023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.724{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=02386287A383DFE39B755832F63C1247,SHA256=3CBE469E7D0C53AD55BC7B058CBAE7F47785C860B70C38351F4CD5E9A2647744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.395{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAE303FBE17B0A04F870CE0EDDDCB0B,SHA256=3F91E86605714927E4BAB8BAEDA5003A387BF960FDE9DF349E6C73160FE820CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3730-63C5-5705-00000000AF02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3730-63C5-5705-00000000AF02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3730-63C5-5705-00000000AF02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.194{FCCA13C7-3730-63C5-5705-00000000AF02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:25.406{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F16029A32E484997FA12A030752EE9,SHA256=E7C06425836B9763B8341074702F5E511C5978339D685AF19B1DE3AF0363E6C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.869{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.728{FCCA13C7-3731-63C5-5905-00000000AF02}69803204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.635{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AF6BECA11F399A1A78FF229E611203,SHA256=024A63C01D0E848C5446094F61E1459095A2681989ECBF9FBF2460A43C36E696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3731-63C5-5905-00000000AF02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3731-63C5-5905-00000000AF02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3731-63C5-5905-00000000AF02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.539{FCCA13C7-3731-63C5-5905-00000000AF02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.406{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.399{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.387{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.385{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.365{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.358{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000028050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.349{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5CE543EE9F4909098465A66A418676F8,SHA256=61BF2961746B1F8C7EA11294C5368B9357EE6093851698421D6BC1EA6118EE51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.342{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.336{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.335{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.332{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.330{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.329{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.326{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000011591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:26.502{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7946B2A82769E2726396BCA0F3F376,SHA256=2441E8E0A0754F0BDC947FE15ADA806DBBEBFAA4EA3A5D7A28158B481C7ECA28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.532{FCCA13C7-3732-63C5-5A05-00000000AF02}43047100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.453{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5471B326A9B34F9D0F3A8A88DBF06A89,SHA256=ED6B63AD6685DE25218702D649FB695FE0E638FD12B134430068C6B3FFC30263,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.374{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3732-63C5-5A05-00000000AF02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.372{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.372{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.371{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3732-63C5-5A05-00000000AF02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.371{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3732-63C5-5A05-00000000AF02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.370{FCCA13C7-3732-63C5-5A05-00000000AF02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:27.605{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0735E162D16695E87A34D9CF1A727F,SHA256=E1A849F924CD08A2DFDAB2DD52B494BEDAB3F3FEF098E946153DC58A2BF9ACD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.619{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59243-false10.0.1.12-8000- 23542300x800000000000000028087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.535{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC07B0EC5281A17831665A25DA50E371,SHA256=118425B8F630F9974B08F322E848BFC6C96CE4F64A2F45D45B7E1EBD15769743,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.192{FCCA13C7-3733-63C5-5B05-00000000AF02}10447024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3733-63C5-5B05-00000000AF02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-3733-63C5-5B05-00000000AF02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3733-63C5-5B05-00000000AF02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.036{FCCA13C7-3733-63C5-5B05-00000000AF02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:28.710{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB77B74D942A453BB572732BF1307F0,SHA256=682ED8222C8314AEBC817D09A2A82512C8B5C56470646CB37640EE024FA03347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:28.307{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DE068B754E7CB1542B8C41404E850F26,SHA256=9318F3D93B829DA1D9DEEBB52B2FD087A9194836EE3077AB288C59FB0B537829,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:25.423{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49883-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000028118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.415{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.415{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.415{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.409{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.409{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.409{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.241{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.241{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.241{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.241{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.241{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-30EE-63C5-1600-00000000AF02}12921508C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.131{FCCA13C7-3734-63C5-5D05-00000000AF02}60766636C:\Windows\system32\conhost.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-3383-63C5-8701-00000000AF02}33724520C:\Windows\system32\csrss.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-3383-63C5-8701-00000000AF02}33723484C:\Windows\system32\csrss.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-3387-63C5-9D01-00000000AF02}12844688C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+5a0e3|C:\Windows\System32\SHELL32.dll+59fab|C:\Windows\System32\SHELL32.dll+598c7|C:\Windows\System32\SHELL32.dll+5958c|C:\Windows\System32\SHELL32.dll+125a17|C:\Windows\System32\SHELL32.dll+125975 154100x800000000000000028089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.115{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 10341000x800000000000000011603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.956{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.947{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.938{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.930{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.919{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.910{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.907{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 23542300x800000000000000011596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.805{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6434CDD5A47C1F66FFF126B9AEF743,SHA256=7FABF58BEFDD2803CCFCDF805AB954F62C73BE4B951A116BEFB1FD69CBB4F064,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.828{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.828{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.828{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3735-63C5-5E05-00000000AF02}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3735-63C5-5E05-00000000AF02}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3735-63C5-5E05-00000000AF02}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.059{FCCA13C7-3735-63C5-5E05-00000000AF02}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E69F7F1F42A9F10BBADE6D98612D2A,SHA256=2AD382E5D00DFA316A8478930236B426F484256AFF2693946D733731A192CA21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.117{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.113{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.111{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.109{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.104{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.102{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.099{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.098{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.096{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.093{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.090{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.088{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.084{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.074{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.072{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.067{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.060{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.045{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.043{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.035{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.029{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.022{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.009{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.002{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000028134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:30.866{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:30.866{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:30.866{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 23542300x800000000000000028131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:30.156{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF642D8AB651EBA2581D642CAEF209AB,SHA256=9F17961A528372317EF9AE04B556E9907EC46AFE38E035A42DE5AAE33B6816FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:31.341{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3CD6BEE915DF5CC7BAFB5A30DE40C2,SHA256=8974B5876B8E7479DC6862496AABE56492B2E56349C7A1BC6ECED3E6988E0B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:31.240{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7608BE28242E743C2D4D58BB2C40D13B,SHA256=2DF29743ADFB17933B2FC822DEB9F88179E5A0D74BA56FD9ADB103C6A0F59305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:32.396{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F856E85663038790590B325C200414EC,SHA256=02F389A34615425251A45500BF1A415E552861C792503E5FC11DAF0C3F4AC89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:32.319{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FFDEDE1B49CDB85AFA5DE3CE10E386,SHA256=0D8AA756531A22CB34EF6C52772FA0D5600E0DB2A2D12D0FE8597CAE7D58A19B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:33.464{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA8281175A9BA10A1B33A22790B6A6E,SHA256=5CF4200ABD068C25C6D53370CAFF568F4EAB8055BA1A047440AD13687975B0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:33.410{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1ADE3A7FE15810C7D1B7B6B52636389,SHA256=539FF4AAB325C29E258C3298C15FE8174341544B9AD2FE162BF092ADF1508454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:34.537{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD30FA349BE1C23A5C915450C0212D75,SHA256=6B89DB9FAF8F5CF552C3A93678BB26D2BD3F700BEF25B9ED68C8635F811C970D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.948{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.948{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.948{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.948{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.954{FCCA13C7-373A-63C5-5F05-00000000AF02}5528C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc" /update C:\Users\Administrator\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x800000000000000028154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.948{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.933{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.901{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.870{FCCA13C7-30EE-63C5-1600-00000000AF02}12921508C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.870{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.510{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0330C29F972D9974065603D8E0D891C,SHA256=206BB8634A9E3C197E6AC4626919E1B43558792D2DFFA73817EAB263DC642728,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.519{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49884-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000028148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:30.578{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59244-false10.0.1.12-8000- 13241300x800000000000000028147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000028146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018a582) 13241300x800000000000000028145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92996-0xae8081fc) 13241300x800000000000000028144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0x1044e9fc) 13241300x800000000000000028143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a7-0x720951fc) 13241300x800000000000000028142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000028141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018a582) 13241300x800000000000000028140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92996-0xae8081fc) 13241300x800000000000000028139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0x1044e9fc) 13241300x800000000000000028138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a7-0x720951fc) 23542300x800000000000000011633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:35.623{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638A38B008C13F02BA739EFFD867B1FC,SHA256=E89AEA5A7D2EE943A19D4DC90475A5BB3291F58474FCE91643C3F7F017F6987E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.990{FCCA13C7-30ED-63C5-0D00-00000000AF02}9083964C:\Windows\system32\svchost.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.990{FCCA13C7-30ED-63C5-0D00-00000000AF02}9083964C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000028169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:35.833{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9299f-0x11bde610) 23542300x800000000000000028168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.639{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.638{FCCA13C7-373A-63C5-5F05-00000000AF02}5528ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.626{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.624{FCCA13C7-373A-63C5-5F05-00000000AF02}5528ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.606{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.605{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEAC5F749468F35A85E1D5877054C4A,SHA256=0BB071AA405E5C13025EAA734F8F486F29E0E2FA7A4D5627BA25218EAB90B5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.601{FCCA13C7-373A-63C5-5F05-00000000AF02}5528ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.230{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.230{FCCA13C7-373A-63C5-5F05-00000000AF02}5528ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:36.703{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A0869827C0EF073B872A384BD94E34,SHA256=5F7AD5C44D71BB51D52289877957CCC1078A6BBA4C9BA67A37F0BBBE4D78B2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:36.692{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988FE20885E357330CDC3409B911B913,SHA256=2618E2A4348F009F2AE4CAB0A65A1F9AE307F27C6258D93A7E1CAD575ECD3C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:36.368{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=306370AE9F68A388387C5E265696E8F0,SHA256=CB2736BADFA1F2E9832825D08AF0783F337E20A1BE54949E19313FFEC6075CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:37.796{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F327B44E5481ACC156FBDB06BEAAC298,SHA256=A05F8486231F3293090FD6E4C5DD5982241069503861FFBEB8C2A9AD89EDE4B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.883{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-025MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.770{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661B1E5C1E367334EDC612283A2863A2,SHA256=912F6017B1873D37C7C58C245508545E904AECA1491171AC6670D45B31E469C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.661{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.661{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.661{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.645{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.645{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.645{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.645{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:38.870{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245116C4117C45B2B39E6F097E115A57,SHA256=3C24D0BE4778494777BD48D2551258152A6403D53B6092072AD7F0E902C8127A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:38.887{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:38.870{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCD7B681D990879AF722C689D441CBF,SHA256=2170233F02D9DB4C1297CE348C152D0A640EB69559357BB068A483893D23BF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:39.947{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFB5D06B604744A0C87B459802812DB,SHA256=BDBAD065E28317248917B1FD7B547A1BB806AE3117A8EAAC491060741BD1AA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:39.967{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0ADC7D01AD52D0483E37B1FB6684E3,SHA256=1EE0FBE1B1BEC577749C5392ADCCD61EAFE40BEF9BF462C57B3C03F238B49114,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:36.465{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49885-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000028190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000028189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000028188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000028187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d9299f-0x13ed23df) 13241300x800000000000000028186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000028185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 354300x800000000000000028192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:36.505{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59245-false10.0.1.12-8000- 23542300x800000000000000028193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:41.053{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63851777D31926710031B288614DAD07,SHA256=20681E2E7F3F1E9543A2114E1A605F4D093F81C380F401EE1D2609A16D000725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:41.051{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10802E02C49AC18C210D815546E4830,SHA256=87720A3D1F2F7573E1F36BEF42631BA6574BFB50E66CE0214A565D476CD3730B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.827{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.826{FCCA13C7-3742-63C5-6005-00000000AF02}6952ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.805{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.800{FCCA13C7-3742-63C5-6005-00000000AF02}6952ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.788{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.787{FCCA13C7-3742-63C5-6005-00000000AF02}6952ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.625{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.619{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000028221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.562{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.560{FCCA13C7-3742-63C5-6005-00000000AF02}6952ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.320{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.319{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.319{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.319{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.318{FCCA13C7-3742-63C5-6005-00000000AF02}6952C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc" /forceC:\Users\Administrator\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x800000000000000028214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.309{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.271{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.264{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.262{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.258{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.234{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.228{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.210{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.206{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.160{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.146{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000028197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.142{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DEF05656DB6B558A364AEC0E2E75F1,SHA256=F08CAF6600EFDC2562395D2B235BBC85D57285B19EB5FFCE321D22398DCC0319,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.105{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.103{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000011640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:42.129{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39ACCAE8C4853BB92EC3B0DAAB268890,SHA256=A4ECDB95177A7A84A95C24D44F909DDB8993CD3476701982415220D050EE4882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:43.899{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F2E8DAB971D0329B811B554307D8F752,SHA256=C9AA8006AC744E1E20B048CC1550E4F27527AE52CA3A8E67695EC54617FA10D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:43.622{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5233D0C11AD1B211418C7D435170AED,SHA256=44135E851FB5847F643775132F149CFC5C600C133EEE2FDD41411AA5562FF95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:43.481{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF338C7A6083F7E90758B5FBA84F0B8,SHA256=8E822D7825305ECC8786EF4BFC6A134D59DB008FC8127012B26046BADB70B751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:43.719{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6E15D2FE929998E77B6B1C803C03C529,SHA256=0628F24E2EA59CE0B843C07C8DEFBB01B69854944232C25F593463F084F2FD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:43.206{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF567E3F54814F6D340B5A8B5D39DB9,SHA256=51AAB2AEF63FACACBD60B72C1B964C6B7B1E9FD592DCFF2BDE0940A5A463B3E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.675{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.673{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.670{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.668{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.666{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.659{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000028240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.612{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85D8031F6CAB1AF20B0EDA48DAACDF4,SHA256=77066243979A7601F0CA1FA3953522ED417A01D94E98E894A9F182242D07EC5D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000011654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000011653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000fa436) 13241300x800000000000000011652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92996-0xb50855be) 13241300x800000000000000011651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0x16ccbdbe) 13241300x800000000000000011650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a7-0x789125be) 13241300x800000000000000011649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000011648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000fa436) 13241300x800000000000000011647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92996-0xb50855be) 13241300x800000000000000011646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0x16ccbdbe) 13241300x800000000000000011645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a7-0x789125be) 354300x800000000000000011644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:41.546{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49886-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:44.295{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B24FA5B9A17AF72FABD327562C74F2,SHA256=6D9C227E49F76EE340650B3CB373791ABA876BD97BDBFF66BDD7D8906A0EE6CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.786{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D79166572D7319749DDD80585C8FCC6,SHA256=57E7952DA2B301F3F5911884E5CF54969F2258C1119AAB3BC803154C1A3FDFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:45.406{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE49F9ACA8018CD9C363A599012D7BD,SHA256=2E0314805E10BBBCC31108A9FC9429987D81C047360986A336D2602E00ED303D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.295{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.269{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 354300x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:41.624{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59246-false10.0.1.12-8000- 10341000x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.262{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.245{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.222{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.202{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.197{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.193{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.191{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.190{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.186{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.179{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:46.796{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632AC0E35D976C267A8370607C91A0FD,SHA256=C9DCE9E255D1FDC10CF4E45A90FD2032207807D76876140157457C46FC3AC8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:46.505{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9F0D329B43ED07F4D931288692D04F,SHA256=A49DE66163569873204DA1083EDA230E8CE880BCB1327FAF6CE6F31296B2AAE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:47.888{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0FAB1AD30C894BA9EC22D18B5E0B9B,SHA256=448A1F19897630B2DD702FD8D3A71D9506B13B6EE200551A932A109EFD72A1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:47.594{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695D9A930754F023B540002DBC6D5BA7,SHA256=6347088A11B7830C03D49D6A922F00FF1E79667430F30DE1F6E568F3B7F2B8A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:47.185{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:47.185{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:47.185{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.979{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001199C61AF9B83FAD7DE094E875E34D,SHA256=6293C5337FF5A2F77C6145F1E234C34566B5DBC5C8CB9A93E3ABD1B5E36FC60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:48.676{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D430BE3B7FAD98B3FBF3A0DE687C88B,SHA256=786D8A7B7641B87A6074FD3287E82A85ACDC929AB0CDD1AF1C377FB1A791E028,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.996{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.975{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.966{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.953{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.945{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.939{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.766{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2453BDB65105AA960B58582EABE93FD9,SHA256=51FB9A0205F70F4A82DB89E299B63380A6CA6C0DAAA137EC40E34D765D045069,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.978{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.947{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=F443C7B00E42C58336E9113C4B92A1EA,SHA256=01406B7BD612A8321213382482E44EA2C7B5467B57E17E9C135EAB2A8221FAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.947{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=26FFB2926F32F78EAEF80D8A870A88C6,SHA256=BA4E44773C9233D16C9950097A1D1FEF3AB2E8376120959E529DC97EF1871D7C,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-ConnectPipe2023-01-16 11:38:49.947{FCCA13C7-30EE-63C5-1600-00000000AF02}1292\scerpcC:\Windows\system32\svchost.exe 23542300x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.947{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00001.infMD5=DBBF697C05F302D06DD05403297DB608,SHA256=632CAD193E30E450B7753E6D16643B576DFABAA1FA60E8D29DA7665946810599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.947{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00000.domMD5=338F5A9E4E606FC803055C8314E3F366,SHA256=DD15D6AD575AD10CBA979783EE68DC6A5A21ECDABDB4E0678F83870931BBD317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.916{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\tempntuser.polMD5=74ED163F3DBD037DE7C0B8FFA0C38E3B,SHA256=987BD290A6DFD0F530BE33C02A1316320E389385B131C1BBA63210947A2A8E15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.885{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.830{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.830{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.830{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.826{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.826{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.826{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.779{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.779{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-3734-63C5-5D05-00000000AF02}60766636C:\Windows\system32\conhost.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-3383-63C5-8701-00000000AF02}33725032C:\Windows\system32\csrss.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-3734-63C5-5C05-00000000AF02}43646272C:\Windows\system32\cmd.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.757{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\System32\gpupdate.exe10.0.14393.3986 (rs1_release.201002-1707)Microsoft® Group Policy Update UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationGPUpdate.exegpupdate /forceC:\Users\Administrator\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=2A360690356FCE21B7F18F4DB3CB8BF2,SHA256=AE6E09BD8130D3488FEE07248EFB58B08EB64B3C8F2FE64DD56A196BA82A299B,IMPHASH=B850A25F38035110A9276C6D7150694A{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 354300x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.262{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59251-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.262{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59251-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.255{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59250-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.255{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59250-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.247{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59249-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local49666- 354300x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.247{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59249-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local49666- 354300x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.246{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59248-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 354300x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.246{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59248-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 23542300x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.833{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19E7F72FE3D9B26CFDE5FC1C6AF231FE,SHA256=7A0D7BFAE182DB15A54686835A939859F9F2D177B8B0131FE0A599ACBED03432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.820{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5294A0AB6C4642F0144F9C44FF705503,SHA256=4251D1D5A5427D699D9ACA8BD6EA410DA9A4CCC83271EC8EA46C729470969722,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.780{FCCA13C7-374A-63C5-6205-00000000AF02}7056C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 13241300x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.763{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000de5) 10341000x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.511{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848892C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848892C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 23542300x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.495{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D933CA44F6627D52757DAF005764367B,SHA256=B67D10E26C150440B36DAFE9E638E82ED79286FF4B5585F3C4DD211931ADCD97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.464{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.464{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.417{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=0AEDEF3F98A680A334ED235D4D1148B0,SHA256=21B8564D402A5C1BB2DD31C7C15AA4CB8860CAA56C02C320B823B0EA916885E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:47.545{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59247-false10.0.1.12-8000- 10341000x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrityDWORD (0x00000001) 13241300x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorsealDWORD (0x00000001) 13241300x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\requiresecuritysignatureDWORD (0x00000001) 13241300x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\enablesecuritysignatureDWORD (0x00000001) 13241300x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.localT1101SetValue2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 10341000x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.354{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.073{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D72506D47C8E69F530EC91DF476D0A,SHA256=78D9E7893A325E350DF161737ABF38F46DE9AD343AD1F7BB9E91BEF9579C7A0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.154{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.153{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.151{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.150{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.146{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.144{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.143{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.138{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.138{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.135{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.134{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.132{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.127{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.117{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.115{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.110{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.103{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.089{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.087{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.079{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.071{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.063{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.042{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.037{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.002{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 354300x800000000000000011695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:47.476{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49887-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:51.014{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E04352D02161C973B4C8FB3472C7FE3,SHA256=7BBF3E080E207AAF9FDC26133AD67688E7121C8022E27A14D05F54696D3DDAC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.266{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59256-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.266{00000000-0000-0000-0000-000000000000}7056<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59256-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.237{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59255-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 10341000x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:51.777{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:51.777{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:51.777{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 354300x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.893{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59254-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.893{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59254-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.887{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59253-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.887{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59253-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.359{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59252-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.359{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59252-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 23542300x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:51.386{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B4D4BFC88DAC8BAF6E253708A2FC5D,SHA256=F2E0D591F198008DB652D5328FF5BE2F14E41AC8CE8A831B79398886F0AFBABD,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.252{00000000-0000-0000-0000-000000000000}7056win-dc-ctus-attack-range-221.attackrange.local0fe80::5d46:b69e:195c:9972;::ffff:10.0.1.14;<unknown process> 354300x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.292{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59257-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.292{00000000-0000-0000-0000-000000000000}7056<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59257-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.237{00000000-0000-0000-0000-000000000000}7056<unknown process>-tcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59255-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:52.454{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9A494C00A78B76FAE74BE16EDF783C,SHA256=FCD0DA39ACEDC50FD4FA461ECADA282A2AF636E1CE53BE70BD1D7D7F29BFCCEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.906{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.906{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.906{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.893{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.112{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F05FD783D2F295AB7F9400320867A36,SHA256=6CC1B4B18DF00AA504D78D25D5BA380B3F9F39EBC9939B59F432E286FEC82122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:53.556{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6C0C3CA391866CBC058950AC45A001,SHA256=3426BDFBF44BBB9DCB5179E8DCAA565B546BD5235C7A22516A375EE17608DC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:53.183{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516A428B3AA6A9087A0511DDFFC0CDD4,SHA256=9B7CDB084AC582D232B05F219838BE376EC8B963896AEDA2AC908BC472139E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:54.824{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8541761536A7FA436BCBA987596C7CCA,SHA256=CBEBAC05986E0FAFE6E60971E8D5374AA7184ED92CD6486F5646E7916CD92774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:54.652{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952839625F5EA815FFB85F8E2A9B4EF7,SHA256=9AB6E40162C6CACE0F682D9C63A44FAF93259475B0365A2D67C931A77A690179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:54.274{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE162D93479B487C928E617B3BF0AAF,SHA256=D363991EBD56CEBE3ADD0C4A2A247D593C6B065C7CB9BCA11FC0102A1358B408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:55.740{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DEFB0E7B6BD665364E2FC2FF553358,SHA256=C52653E5B116DA7371FF7409D08B5FCA78BAF55780A92E4A4C2DD3AA3B5447F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.487{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49888-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:55.358{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368F7AE0C27C52DA5A4D1CE11819107E,SHA256=7B7CDBB14B7AA13305A9D5F9E4889BC527E9657B121033845EEA3BEB35B91650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.825{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA45687B396714C12FBE484E56AE655,SHA256=A01AA6C808F7A7A9ED94427B89062D496C6EC3C724E796DDE4A89C784AA9099F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.788{312A7A06-3750-63C5-8A01-00000000B002}38083472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3750-63C5-8A01-00000000B002}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3750-63C5-8A01-00000000B002}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3750-63C5-8A01-00000000B002}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.618{312A7A06-3750-63C5-8A01-00000000B002}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.428{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBB227443F330C2EA5D6197FCD06BC5,SHA256=709546DD7FE97F68FC1F7F3A4DDADBA7363FAE2004AA97023B1AFFF8C536A5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:53.514{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59258-false10.0.1.12-8000- 10341000x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.083{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.083{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.083{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.082{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.078{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.078{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.078{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.078{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.075{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.074{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 23542300x800000000000000011721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.319{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3A17C3680B2D31C9604088CC05983C24,SHA256=9D4DEDE83A1F01A3BAEA8C1971F61601E17AECCAD97C6DD12DA170E119AC3A53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.222{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.222{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.222{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.090{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:57.923{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454659D7237A8104F7C831E7085B361B,SHA256=88B7D21B54DBEC75B4384B419291BD9532CDDBDBF35B5F83BFAD1E958F59F671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.740{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495E1FC71E16023702D3509AC43D956D,SHA256=58A588CB49F581D20F4CFB20117692995D23D4836FC05FB07B3EF525E725485B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:57.423{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3751-63C5-8B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3751-63C5-8B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3751-63C5-8B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.288{312A7A06-3751-63C5-8B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.266{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D36B42F09143DA82F0A53C60E797BEE,SHA256=3DC34FBCDEE50C676695EBC9E5EFB6A1CF4A60D825B151F5DA480A6D7E10C31E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.979{312A7A06-3752-63C5-8C01-00000000B002}5043192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:55.879{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59259-false10.0.1.12-8089- 10341000x800000000000000011765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3752-63C5-8C01-00000000B002}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3752-63C5-8C01-00000000B002}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3752-63C5-8C01-00000000B002}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.824{312A7A06-3752-63C5-8C01-00000000B002}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.557{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BB5B26BE1A838ABB86E74ABC05E1E8C5,SHA256=A78B61814CB8E0D04B391E15CBAE94C0A4AA531674E90EC2D0809913F28239AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:59.011{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C05CC28F1EE87F72BCD89B0BCE5332,SHA256=FE698D39A393026D0A62929B285859F1EDCDB1F87A951EFBDBCE01C9F2F57D0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.838{312A7A06-3753-63C5-8D01-00000000B002}40882296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3753-63C5-8D01-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3753-63C5-8D01-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3753-63C5-8D01-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.677{312A7A06-3753-63C5-8D01-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.010{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA66B2BCD965D9BCF08D9A93EAAE271,SHA256=9EE8EE5AD514FA0F54FC90510A90A84C161DCEB6A4C7F7C2F6F9AB0315759311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:00.100{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD93B3E44DAC2755F2CBEE75742015F,SHA256=2BFA4D4B9BF2DCD21DD18181BBD203E52D0E17D72AC5B91585EE9BF1818855DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.631{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49889-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000011802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.407{312A7A06-3754-63C5-8E01-00000000B002}31883100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.232{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.067{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3B74707C4279626A3A9D9569A05DCB,SHA256=A19F6C7F95DD49D5349941DDA1523426985A978E9C091B888081F15769BFFB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:01.185{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A124B39AD349A85BCCDB0EAA2B0022F4,SHA256=7D75AD2D24E999AA7282B0B44559F8DF1A5E020067D51325EA90CC79E817795E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.508{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.508{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.508{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.320{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.157{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AE1F1659753571C0BC66A5F497C87A,SHA256=8D06E6CC92935CE94278A5DB7177B2EC59D9FDB8B4779FC09BC94E7E779A9241,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:59.525{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59260-false10.0.1.12-8000- 10341000x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.609{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.605{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.279{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.262{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.258{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.257{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9C7AC5D153A7C7971AD69D86DF74C0,SHA256=E088692CFFD6DBA2D46D7965AD4656CB4B777CD21A2C6E7253248E7AB441010E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.256{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.230{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.225{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.213{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.207{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.202{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:02.441{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=708C27C6EC4C31FAA2E6671D3AD4F6FB,SHA256=0ABB44BDBBE8D283D89AA4D97ABE592FCDFA04B85C6C428F98D9ED9EB91E9770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:02.222{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4699C0929A983BB6F521DD37947A045E,SHA256=B97F716BF11131D9091D8B26943D19B301BEAFAF9820BA8E29F9CDBD85AE8D61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.174{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.166{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.156{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.150{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.141{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.133{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.110{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.105{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:03.293{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9A44CFF5611B9E5DABFB3211B5110F,SHA256=5B666AEA877C7557B1DF5D1C12D3063888AF8459937FCB979C68273FC4B341A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:03.317{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C876120013A63BE4BB6E32DB422A14,SHA256=DDCF0D0EAA2D7EE4D440EFE918158294C28FB03C985A0872EA5BE05A9B099BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:04.387{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D47C754E0C1EDD35E28D3AAE171E2C,SHA256=C7933986E310C7677E3A0F90D657FF1E9C4638D48335FA9AA28210540AFECF41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.647{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.646{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.643{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.640{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.639{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.634{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.510{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.411{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3309531BFFA0C8BDB8474B74101F80,SHA256=B0A56F6E6F2F70525613D2FF05D3CF0695C80766A6A9F467381D68600232C519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:05.471{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76B23CA7843C6602F88C527775D5303,SHA256=6ACA4D02BF6E40BE36C0DE70760854A006A0A5AAED5E92CD8C314EEE55F1D03E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.520{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EBD5946EF954C052898074D0757AC,SHA256=CA8D98FFD047FF715AC13E26EBC179B75598D01FBB256C5465F6C885B53D811C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.293{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.273{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.263{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.250{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.213{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.199{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.187{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.175{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.172{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.168{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.167{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.166{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:06.558{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8F1582B2F8CE59E518874D1AF5B7CE,SHA256=0507431329DE7B792C462F3FFABE2DFF0DAC73A8DA3FE55E0C76054D30B4FCD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:06.553{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6EA3A3736B8928639072141AE5D24F,SHA256=77C637A30FC03AAF6A5B0838AF754B774448C92FF15DC584D002DA37B987B3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:07.653{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1D720A12E7890C876A82BA5C8E10B2,SHA256=10A76A38077BD1F93CB1887DF2B3EABC5246541EFBC3732195F5E6A228CE62FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:07.648{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2292EF88C600C74E6C987D8C123FA2B,SHA256=138EE0409F62D0637CA7497C5B3A33B73C32439586352486A1A289F7F070F9E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:03.575{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49890-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:08.733{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDEDBEF9F5CE4A74D8F8E46D866D923,SHA256=8434ED57996110FFDBA796F1B19CB544D58CDAA5198F9220950AF154B8098E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.736{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDC999FA231E36C5E10E27C59B35B02,SHA256=D2F8D03DA087AE9B21C2A18736BBDDF86BE2952445BAB6344B9536FC43536239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.593{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59261-false10.0.1.12-8000- 10341000x800000000000000011838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.995{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.965{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.960{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.952{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.947{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.933{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.925{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.922{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 23542300x800000000000000011830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.825{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2831E6D23C1552CA2A8701637A70160F,SHA256=C56B92B9B8E9730B644A8C588C52E38A5AD8103EA68BB543DDC0F555BFC260F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.915{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0B4FE057D2925EE1751A7F72C9549A,SHA256=6C985C797209FB44ED0753E7AA5D69EA36EF461D33EF211D83CDC0E2B9004A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:10.038{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9393E47790D5F55C3A6D2C7409B306,SHA256=16347E0752423C7606698B4496415DDD0CAA377F14E3E7099E57E231DA7A2DC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.087{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.084{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.082{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.081{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.077{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.075{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.074{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.073{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.072{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.069{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.068{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.068{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.064{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.057{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.055{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.050{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.041{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.028{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.026{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.018{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.013{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.007{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.000{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 23542300x800000000000000011864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:11.986{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A067D5EFEC621F66987BAEFB8D891496,SHA256=5108C5E4226A3B57D1D9734B963FD5FBB8C0F7FBE9875C6E237B513C0B7F75F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:11.197{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EAF46B2CD54166B1155AD7F20C20A4,SHA256=6322CD98B468D8BB24C4ED5CED8E027CB6F64AEB6B9B0EC304EDE9FE32A1BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:11.004{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-016MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:12.922{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65B262AE692EC7F17358A1D0C8A9C1C1,SHA256=1E30C0D9B049BBBF9F730F5C75204DEFA694ACD0AA53D732C2A8E271AAF4BE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:12.309{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A390570611BB626E99212E4AB6F5A545,SHA256=EB5FFA73600593F3CA0C0EDB4172289952CEC338BF707F1B88F8CB1A3BD74EBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.580{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49891-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:12.004{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-017MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:13.409{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62124A8A82D9DDEE9E87602AD69B4B5,SHA256=2B597183AEF571206B0DC52A1942F433FCB391CF006B9CA009D09312C3B45D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:13.075{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A39AE1CDF5AA26EE188CCBF9CBDDF9,SHA256=75D946DA56A5B666CE6218212C686D47C08E683B814B3078C111EC180FB64F6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:10.266{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59262-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:10.266{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59262-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:14.524{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073BEE5BE7068355C924257EB94E027B,SHA256=AE0E6AD5E8C6D3CF5A792A2350EF886120FD5D1322FC98B01545800F2BA3B2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:14.159{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4072CD2BFE4E5F02D80F5913CCE60DE,SHA256=4100981E3B3E3F7AEF0743E9E493D350AB73AA20A0BEF1EA9CA04F75CA796A57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:10.533{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59263-false10.0.1.12-8000- 23542300x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:15.598{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40AE13CD7D90D7B7A704A336FECA5D7,SHA256=C05F48447A2B93FAA663CCF9FEA0A42D5DCE2E04C0EF360A4579364DE92B29FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:15.238{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93EDC030290EDEE7FA021953FEB10B20,SHA256=318231841DD0538BFE7200FCBB3A84EF307C849C8BD1848E99F5F972F1061DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:16.685{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C21A4B009DE23950FDEB2217865A0E,SHA256=21EAA6F362D4EEFBABB638325BB7884E9EF496BFE5C695049270AD59AEED98BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:16.315{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54776D9769139FBEFE507A1F7DA97F8,SHA256=F2ED2644AFE834713BC0F677D30902D623378453CF0B01A255FEC4CDF9EA2CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:17.780{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAEA9702EC994667FB7F1E211A463AE,SHA256=EAF53DDF2DEDCE9754D135E069FFAC9A2122D174B7E03614CE1D352BC39C7496,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:14.590{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49892-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:17.413{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4803E38FA5A541D82D3EDA0D95DC1070,SHA256=C12ED0A676B540BB5D5E02D93BDD08D54CFBCF36AC9C653796DEB62B9786DB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:18.879{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48BC8A0F96CE805D08031E3CC91752E,SHA256=3E8C5EBD2F525FFBEF46122383AF988521F4F671767F6723A8C4AAB84BAB25AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:18.743{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:18.493{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330A7322979CFE7072BB67C6CEC594D1,SHA256=1B770FAC265972B12A683BB247E8FB350EED2BAC35B06D8792E51C4005290772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:19.963{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523F2AA747FE210EF02DDA387EE7C44E,SHA256=AA10E1A511AE24C790A91022E55C31DC34AC73CBEC53B71269724CCE2552442F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:19.599{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E425075FDFAF77B0B61293043074D4,SHA256=38863264B20A2F67D5D9730873C264BE738C73DBC7F1D32B0263B3DBE508C085,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:16.519{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59264-false10.0.1.12-8000- 23542300x800000000000000011877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:20.691{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50A27A1B16C2FA78E3501F97CC74864,SHA256=0C93D16DAA88D7C524B302A19A903B4564FC7AFDFD21D6DD144AEE2CC9F06887,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:17.127{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49893-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000011878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:21.748{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625BE5E4966B8B8B0EF7E1931C1FFFD7,SHA256=8BE021184E2B10C5C6CD259AE6C3804AC88D76C0FE06A73C8BC06E0CAF3F1932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:21.065{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9944A3F0F28468A368E604F62B1E5E5E,SHA256=73B67337C2EC91F31F03F85FE7539A894B1BC63B8F8C4CFC0014CBEFAAFEAD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:22.818{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B35ADB44C68BFB2BA45C174EE3D2C80,SHA256=CEDCAEB3C90EA904CFE9A6A08F3A121BD1925D83F38C98662750E21B68C62A68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.583{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.579{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.281{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.270{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.263{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.259{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.257{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.231{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.226{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.215{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.208{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.203{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.172{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.158{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.150{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.143{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.140{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBD7572BFEBBB19D017FE5878439451,SHA256=BCF6BEA4A72B2991E1EFCB7EF214AD9F95F515A82439628FE69FE3EDBF6D9669,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.101{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.099{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:23.926{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4054A82895B4320AEA71C22E405460B,SHA256=F515C0B1A4A3708F490D777D9F437AFD0F29BA624E21D2F873578FB9B4E6DD2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.710{FCCA13C7-376B-63C5-6305-00000000AF02}39043564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376B-63C5-6305-00000000AF02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-376B-63C5-6305-00000000AF02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376B-63C5-6305-00000000AF02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.554{FCCA13C7-376B-63C5-6305-00000000AF02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.206{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1B95F193D0032E71900D75770D7679,SHA256=7A55769E996EFDDD212DCACDAC0DED325DD2414F0598164695D2DA73D4D25517,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:20.445{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49894-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.923{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2F093C92DE14FD52C17B0A515E458E0F,SHA256=801BACE5309E5E63D1EB7AC7D05247A0596CFB4BAB4DB953942B4FFA58132574,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376C-63C5-6505-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-376C-63C5-6505-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376C-63C5-6505-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.690{FCCA13C7-376C-63C5-6505-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.623{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.622{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.619{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.618{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.616{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.611{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.532{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6A75EDE4D45AC42A5AB0EFE706201A1B,SHA256=B683A53FF5664F5086D9D9C74B174FB18CFF73816719B3B3813EA521C5B614CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.304{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD57C8A0388D09B7C232CA0DE05AFA20,SHA256=6892C0B8D5AB6FC09D90618E6CA892FD542A744EB153779A99F09770BB9AB6A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376C-63C5-6405-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-376C-63C5-6405-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376C-63C5-6405-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.196{FCCA13C7-376C-63C5-6405-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:25.022{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D41F34706242112E12862C8C792A2AC,SHA256=45944C975D4F53F26D36C5A1FDFEFC78D4C6E356E6ABFFCBEE8AFE4B815143CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.840{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0E18D19EFC9174C51232FE0B69B0F8,SHA256=9C2DCE221A412474E5A31E6F5ABF5435E0A4050F01B08DA8FA8849B030E2DDE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:21.695{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59265-false10.0.1.12-8000- 10341000x800000000000000028575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.575{FCCA13C7-376D-63C5-6605-00000000AF02}65847000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.545{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.542{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.542{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.366{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.236{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.235{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.209{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.197{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.194{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.172{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.166{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.150{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.148{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.146{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.144{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.143{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.140{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.137{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.136{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.135{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.134{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:26.100{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F9A9BC2F57AE54606C4E26530E3AC6,SHA256=65C9359D47A5759224906511DF5E0182CC50B185EE7701EE21AD2DA91D2C772E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.562{FCCA13C7-376E-63C5-6705-00000000AF02}69125508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.549{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.549{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.549{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 23542300x800000000000000028586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.386{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7631F2A974FF4155A53580B1771E09FA,SHA256=AE86B42F5C903C6B2010D63B351FAAF62D9BD39A0DBD4AC9FBABEAF0F9E09A13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.372{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.495{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B607AE9C2AD88F3804FE94CCEA0E7C7,SHA256=F66F628774BC189C4B2BC94302DFF4F4464FD60886F607DF7518B88EC82B5065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:27.779{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6E1839EBBB7BDDB2DF6C9BC3DE3265D6,SHA256=D5880E19AB017B8F2F65342C29BF4BA63B61E25CBDF718904349909595F2F8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:27.186{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5812CD4CD69E087238DDA8FA5967543,SHA256=6118B6C75810AEC5F8F5BEF5B4B779D663121571DECDDEEBD91106B7C86510A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.214{FCCA13C7-376F-63C5-6805-00000000AF02}60286852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376F-63C5-6805-00000000AF02}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-376F-63C5-6805-00000000AF02}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376F-63C5-6805-00000000AF02}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.042{FCCA13C7-376F-63C5-6805-00000000AF02}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000011887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:25.569{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49895-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:28.274{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E0CE4798E54DD2834250E72E892F9F,SHA256=62F479A2B3E9E9AA12C62370D85EFA4997FAA7946B6CDAA1837FA3C1A58AEB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:28.615{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E7503A1D02F18072560CAFFD313BB3,SHA256=128210FA96E98C51258C364BCE37A9CD85736A993BFDD62D2B5075D0E48C66A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.696{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B50C95F822F1B6FD2C1B7481EEE0655,SHA256=F5E43C1CEA84F41E750D34C2DCF1EA66677F110110B8402EBA23DC6AD6847B66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.997{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.955{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.950{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.940{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.933{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.926{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.918{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.915{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 23542300x800000000000000011888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.352{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86D9E2746CFA648779704FBAF8F751D,SHA256=D5D8E2C5E5228420717D0BD4B4A1BE4027E5A113644A43B01D9433819AAD6A25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3771-63C5-6905-00000000AF02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3771-63C5-6905-00000000AF02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3771-63C5-6905-00000000AF02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.066{FCCA13C7-3771-63C5-6905-00000000AF02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.426{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D216EE20F625E163309CB8A8701B5D,SHA256=5A0C4E873C6C72B3FD8125B59F1F389676F47DE34F8629FD94D4EF6D84DE7091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:30.796{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDB2A1C278793AAF6C53AB9127B94F2,SHA256=A5EEE5981E54BC2851AC22402223A8DDFF34654A6DE9223E4D47B7357742AE31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.569{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59266-false10.0.1.12-8000- 10341000x800000000000000011919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.104{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.103{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.100{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.093{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.089{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.087{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.086{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.084{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.083{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.080{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.079{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.078{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.075{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.070{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.068{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.062{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.055{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.037{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.035{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.027{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.020{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.010{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.003{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 23542300x800000000000000011921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:31.611{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E520AE4B9944BE8A471C20E4A77A44CE,SHA256=6AE7B06427148DDA868227A4960FEC1D3EC7502DC8695425D38E835E198EFDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:31.888{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B5B67D99E7C95872F348A2E4870CFC,SHA256=C5EA060F64C04D36E80DB6AB50A086DB4C4B9691B1DCC0DC7F53C26B379AE4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:32.981{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54612E7D2BF667F498176C8BB31E350C,SHA256=35AA77E86A1C201AA9D095E9F0F13D228D286D667F70528FB44C29B2DC2CDC9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:32.703{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2C83B89E93BB44261FD6F4521B22D8,SHA256=558EB9CBF19FCC90639A19F98936FDA4E0D95EEF444801883B1D96287BB8FA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:33.772{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF404A55DA8F152E2B7A0EC6FA5B490,SHA256=914FA0FE142677AAB705DEAEC815F42792F7FA69BDBAD75C18C2DD24EFA0E866,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:31.474{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49896-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:34.856{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967A9460DF177CF2BBD3D75387805EA8,SHA256=648CA56E5BC7E34B596A9210150F900816F9F324131D8959AD7DBF2CEEB5A9E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:34.074{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1A57CA0C6F236BF39512DD21E0824F,SHA256=D83BE95922E35743703A437BC802833780E4CB2334F126D4426ED709E31FA6C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:35.955{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705CBB566055D02D2B7EE2FFAC0A01CE,SHA256=3CD930056FCB5FD7D435C459445F897F0BB3DAAFF1B475D24C608BC8315C5956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:35.148{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42497CF5FC856C007C5C851A05608E4,SHA256=969985E625251195D3386D25806C4F4CD88446D75F919C85D00E14B2024CC71B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:33.536{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59267-false10.0.1.12-8000- 23542300x800000000000000028617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:36.230{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFECD8EF658D84D0F4B338F88FD0067A,SHA256=066DC968AD2846F3E4CAE04F61FFDD1FCCFB9EF274C9037B548DBE1FCDE71EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:37.327{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7235E91AFEA7318805636453652A90B,SHA256=316982D6F1B88074C7602A05BBD20A7E65571A314B70E3475BC84560F9D1EC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:37.055{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379FCEDA3312034DC02D3463EE4F78BB,SHA256=5552C028D7CB33D51061094980FF34405472095248EBE2E60B5B73B5A71F95F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:38.426{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDB1C9E0326BF62DAADC958A058205E,SHA256=AB263949E1775E12A20DE6E1D6865D9801BCC4C5B0DA100113FB21C401B42E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:38.149{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223724093367BAF97F5268717BCE8A3E,SHA256=432EF9AA9D09107AB2A9CAD54DDFCCC44B37B58F002FA767F60C1BD3BFFC906E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:39.524{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422A4976F367121CD500E1BBD0DBD5C8,SHA256=EB432055217BE0C7D535D309ED6A627BBF2414DDF38F5AA137D0CC59708302E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:39.229{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A183DB01267F7E624EECABB1CB8DCD,SHA256=75F3FD512E19D8A7BF43E3AD2491F0BADF487FCC898D14E66D07D48371AB2B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:39.412{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-026MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:40.608{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B51C0D90D82DC14913E5FBEC46371F,SHA256=E031BCB6B8F23DB77D754F87D04645157390485ECD7C30D1C1396A65B0C17692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:40.304{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA9C2BF769EA964246D4DE32D228EE1,SHA256=56E011DFE158DDF9882D11583A8E17047AC6AD2A99424119A68B9AF6634A0BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:40.425{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:36.517{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49897-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:41.710{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8984538F67F64954C63CCBDDD7B71EC,SHA256=CBECC8E26DE0DFEFAAA9C8D200961517FF2359A386B0949461F2AD0113F94491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:41.388{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79015DB4488A499B59F7A021E0D55D57,SHA256=35E9F573AC19950AEAE14B336ED853DCB239454E712257EE6DFD51DEE1B48011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.857{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5061D86162B2AA439B065E5E3F16AEFD,SHA256=B9CEB709D131B3BA981DA7FAA4BEAC1CA7AF1E9800AB62E21A9393B8BE217492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:42.493{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5AB7D69FF6E72C61F57EDF430C6E2E,SHA256=9C01994F7D0FF7E2FDA1934C06D2D70DCABD366395613BB80F93C8C2B98FB9F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.688{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.683{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.324{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.313{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.307{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.303{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.302{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.297{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.259{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.231{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.223{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.218{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.172{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.155{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.146{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.100{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.097{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 354300x800000000000000028626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:38.649{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59268-false10.0.1.12-8000- 23542300x800000000000000028650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:43.972{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAE06299EA62FDB7BFAC78D647D391D,SHA256=641D3E9FACB26CA177D9DBE9545C51B8102612ACBF646CBB7980EB7AC885EC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:43.908{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=88AC40EC98D3703B22D3F5FFF7E9F86F,SHA256=6745801866A35D4BF4E5E088F7D07DD23E17B2BB92E7B2CCA1DFA27F7DB64C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:43.726{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0FE5EFABC7E72DFC6176FB05FFB936EA,SHA256=D8BF62B3F35E542E2075F0AD644273B209BA10F0C92A19759DD4AE83604820D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:43.570{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D8387A42DF2FCD6F8AA25A34F62047,SHA256=F96D8B7766D78718493E460EC1DEF9EEB2BD9B88A3A826A2C67DD72D91A2FF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.958{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF598A4CA9D995A684F617E2E6CAC062,SHA256=1540D65DC8B4A695FB7914BFC053E33C36AC75D8456B6D1F1C4CCC9E51F5C7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:44.653{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF85CB9DD83258D5A12C53F01D066B85,SHA256=70BF2A8B512CC46D46F4B1ED5958CF3E757AF7EFBD3074093BDA0665C8FCA2E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.725{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.724{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.721{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.718{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.717{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.712{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000011937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:45.733{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEF7245AA9A231A510A9034011781D2,SHA256=925DB7E5B08744F960DE8F13B62C918676459DD1462CA8DC5CD36730369C35CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.369{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.368{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.345{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.337{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.320{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.318{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.289{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.283{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.263{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.261{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.257{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.255{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.254{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.250{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.247{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.245{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.244{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.242{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000011939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:46.822{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2296144132AD22D121E4919D518AA8E0,SHA256=A8CE8FD0E618106C6BA55964440EC44ED12C4A0716E0E236581A435CE09D3D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:46.013{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACED68D8D325623BFBA5A074A1A4D5CC,SHA256=B02CF390E30052E5CC5D4C687B9FB13D6248B0178EFD9995AED3C72D93A0229D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:42.529{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49898-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:47.926{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936DC1926328CAE9657943EDE2027343,SHA256=BD94CA2A4AD8C757AC3DFA12FC128C4F82E3687FA1E0555C7FF82FBF3BA392A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:47.114{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771B05FAA14F0587CC29D688652882D8,SHA256=D3E9E5F8849A9DBA5B66AD5253111EC883E8DE98853F325AFD15947B87052888,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:47.143{312A7A06-3345-63C5-0D00-00000000B002}7763696C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:48.209{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0BE32FBEB48DA4B4FEAAA3C3422F1A,SHA256=1982F852A0156F569CC924C74072DEFAF489C13C345F91106DB82A6A200F3214,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.581{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59269-false10.0.1.12-8000- 23542300x800000000000000028682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:49.302{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5EB0898F058011B01BAE71E6AFA2A2,SHA256=558AE2965F020EAA1F68916C2AF53468C4F5F2E742002457B5B8F1794020439C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.987{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.977{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.965{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.956{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.944{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000011942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.014{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7500210108D968BC98C981BE563CA8E3,SHA256=91F675F297A9C82E4E07C2139DE38A263DFC5E44C280AB62C69169FD56415402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:50.412{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAE64EA6A376C9E64B2621A68A2D438,SHA256=577CB97C977701A0287382A90B46AC553DE4D4FB9CE7F18D51F4DDC777B776D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.177{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.174{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.171{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.170{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.165{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.161{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.160{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.159{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.158{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.151{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.146{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.141{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.138{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.131{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.128{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.118{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.106{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.094{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.089{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.083{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA67156ED58AEA480395D6148567AD4,SHA256=3868E6775E36CDB5C2711F73193DF5B17651CA2FA4C5FC095D2AEF473FF64938,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.070{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.065{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.060{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.053{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.049{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.022{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.008{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:51.141{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEFCD77D6CDAEFCA2CB87606B83223C,SHA256=20E22C79B17F9FDA62AA8430A052607805BE30420177811548809F972A97D732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:51.510{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940A981C4F21912EC9C3E31DA84511A5,SHA256=68A5F08E9CE05DE77D4062EC5DC303CA5516AADE0FFBC24E263D02C1B883FB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:52.597{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D323061CB19C761F4F9C4DF19F1FB9C4,SHA256=F3B9C574E7D168BD4AB04CFEA7F38C8A9ECE875501D1DCE1CC9E920BEDF12103,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:52.898{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:52.241{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293F1C3CBE0ED585AE152F6EC043B4ED,SHA256=4FF9FB994B5BD554E291FA755633B64D5F337163D99BA4723906329A28E00D7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:48.443{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49899-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:53.689{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7923B7A78A31B147970C436C5B07F863,SHA256=837BCFDB16B3E7B1D40EF54B041D764E7788FE0450BB45F6AAC34544056FE217,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:53.911{312A7A06-3345-63C5-0D00-00000000B002}7763696C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:53.304{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90459760960F91ECDDCA9585EB9A9341,SHA256=C95860F96DAB874341C2328C3EC29B83B0874E62506913D28C4ADF6604BA2971,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:49.657{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59270-false10.0.1.12-8000- 23542300x800000000000000028688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:54.775{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520B621A7DF11893259AFBB9A4CDE309,SHA256=AEC506E00941E0F75507A008899053B5F3494FFC675D291BD84B254159AA52B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:54.381{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9273AB9F1B35D65338F3ABDE0AA94E7,SHA256=88FEFE97193308B933BD42E282528B4442E3F6E61BAAB5B8B89E6C2B4F8B9EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:55.867{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08C71057C95554F872060587205EC11,SHA256=BB143724271CAA12E0EE88D3BEBB8DC14ED0607BFB145B7E6502953462FF7DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:55.482{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA732D1D86434E4079EBA398D46205A0,SHA256=91FC4319FBDBD94679FA141AA4CD6F6DFC639E59BA169CF1DB2BB1D68151FD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:55.071{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0AF7EF015FD02C3D69F204155A64550A,SHA256=E3A83947949A167D0E599B600AD4784CC87F2562D24E862BD5FB5844716AE8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:56.965{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7378A718DFAF10F1F47C6F70E227EFD,SHA256=73004DDEF0D909F5EBF6BC97406A28D9EF85596F0059A533541CC0441353E796,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.897{312A7A06-378C-63C5-9101-00000000B002}11282616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-378C-63C5-9101-00000000B002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-378C-63C5-9101-00000000B002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-378C-63C5-9101-00000000B002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.650{312A7A06-378C-63C5-9101-00000000B002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.585{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2805526A6D716E8B4176B572EA7F0947,SHA256=21202A0BAB5820C1877CEDC89E04964703F3FAF934966FE38F89F0D540FDE543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.470{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9D4A3B7668F55875339931F43A46516D,SHA256=EF511C94126C4DC95F9325395728288405EFD2F961079A8C9E7325A9FA9A1A4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:53.485{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49900-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000011995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-378C-63C5-9001-00000000B002}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-378C-63C5-9001-00000000B002}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-378C-63C5-9001-00000000B002}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.105{312A7A06-378C-63C5-9001-00000000B002}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.705{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC3A80EFCCA450D1995A3EA5ADC6D20,SHA256=BD112761EAB1CF8AADA7F82129E372ADA3B29B3C1090D3F2D2B3D5507BF112AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:57.445{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-378D-63C5-9201-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-378D-63C5-9201-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-378D-63C5-9201-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.264{312A7A06-378D-63C5-9201-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.123{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C5E8EC34200DC75EFF11220BA7B193,SHA256=533848E4FD2D36F82A8AE0BA3BA6F1E82ABFD72ED0E16C61B79BB21C5742A3D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-378E-63C5-9301-00000000B002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-378E-63C5-9301-00000000B002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-378E-63C5-9301-00000000B002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.826{312A7A06-378E-63C5-9301-00000000B002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.809{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48956102ED2E37F6971FF4EA41C11CB7,SHA256=FE2C0FF0071528A6C150B6D5846EEDCCBAF872469A9391325F61ADC02264136F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:58.055{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6549E0B02E024DF20217DA987B88E674,SHA256=629D951F2C9BBCB9CF1829BCC3F2DB566863BC7A324F8C344879094490256854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.192{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=79591088F092F45A8AE00CA4F3655FEB,SHA256=02862CD7C43940650A666A281A77C4C6ECEDB79DABDE4E7409126C2D71CB1A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.942{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A92428BACBB27F745210F493A52F5D,SHA256=A53F4A5A1A8FD726303EA53091307FAF2B48739DE51BCB97771FD166063DBFAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.911{312A7A06-378F-63C5-9401-00000000B002}34363020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:55.905{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59272-false10.0.1.12-8089- 354300x800000000000000028695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:55.628{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59271-false10.0.1.12-8000- 23542300x800000000000000028694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:59.139{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369838A473F21C0238D524C00CD91EB3,SHA256=D5D60F227AAF4B7E52ECFA7C8F1BD1F4AE1A0D06B112BD43AD61FCCFAD1F429B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.686{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-378F-63C5-9401-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-378F-63C5-9401-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.680{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-378F-63C5-9401-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-378F-63C5-9401-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.143{312A7A06-378E-63C5-9301-00000000B002}1124400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:00.258{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D284268DADC74463A5963721E4BD8C80,SHA256=233D699BC8762A2869B26062ED267F45AF5D58299E130032208BE3258D7B126C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.512{312A7A06-3790-63C5-9501-00000000B002}27163376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3790-63C5-9501-00000000B002}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3790-63C5-9501-00000000B002}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3790-63C5-9501-00000000B002}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.357{312A7A06-3790-63C5-9501-00000000B002}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:01.358{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12574976EBB2EF080DF4FAF9A68AC533,SHA256=D20A03DF9C5D2694C9E10636EC319FF152643699959C773DA6D04E3705FB1EE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3791-63C5-9601-00000000B002}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3791-63C5-9601-00000000B002}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3791-63C5-9601-00000000B002}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.336{312A7A06-3791-63C5-9601-00000000B002}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.994{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DBB9C3BAA2603D96E89979B6FCEEBF,SHA256=D08FCF39273F4762672BFDC21FAA57021F82D46B784695A7C9EA8517C0F33EDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.728{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.724{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000028718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.425{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209CB363FF0994C2B843EE689EB1C2E8,SHA256=3F82512D62E0938992F8274EAC317F14DC27EE2E3C7CEF02AFB661F7531350F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.394{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.383{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.376{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.372{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.369{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.367{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 354300x800000000000000012088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.424{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49901-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:02.086{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6A71EBDB321A4E7F348F33F9628324,SHA256=EA86570A4F543D123B3B0851FE0F981544303DBDC12B4D36B40F1AE09939A01B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.331{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.324{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.304{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.295{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.290{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.250{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.240{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.228{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.219{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.206{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.195{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.123{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.110{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000028721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:03.387{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF091FD859D739D17822A68782CE2B3,SHA256=2FF2869B5B289699A65B9BC97988A7BA125B8256C30153AD3ABA61A508895612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:03.203{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7897C5EC974FCC7CBA4153E7A521AA3B,SHA256=EC6542BAEDECA5F880ACE8059FD2249ACD8541C57FF5D4ACF10FAC85CF59CBB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.781{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.779{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.774{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.768{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.766{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.760{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 354300x800000000000000028727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:00.725{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59273-false10.0.1.12-8000- 10341000x800000000000000028726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.517{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.517{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.517{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.504{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.482{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21364C6235567511018089DC55FCEB4E,SHA256=9FE7B88F89D22B1E441D58421831FAAFCEEB1AF1544194B7E3F1FDB25638FEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:04.305{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8BB0A1B53CF6221F0528B8BF839958,SHA256=BC39887B3C618F452BE3CE0ED7B4EAFFE7BDE2E2F944D142EF44B0C5B6125679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.979{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08266061DD6D5880945AC73C271B5C86,SHA256=4196BC23833780F553C3A5E66B03F146048C8C19E00DD721933E423916C6F59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:05.384{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581286578317B49356FD46E860F3CA3D,SHA256=E24EC90C7FE64D81363F3DD5117C4DB0A4F95ED1E6E2007B097952384A1E1116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.443{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.438{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.411{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.403{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.384{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.381{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.344{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.335{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.317{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.312{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.310{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.305{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.303{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.301{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.297{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.293{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.292{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.291{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.288{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000012092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:06.475{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278DF84F05971D18A43F31F261F2D64A,SHA256=8B475FE28F00128A186AD5F01CFD0E74EFF812FE7B1C8BCFB6C2E46B8D516014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:07.570{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878C873D5246A2C90A412A09514CA318,SHA256=61EFEE4258D79643F4C61F6045821930AC78FCEE2A50271E276F33AE1C7EACF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:07.091{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FD3095D7CFF9EDE75BEB96C2D140C9,SHA256=7EF86F612621B8202C4E9B27837BA105320AA7BB2062FB9AFDE75A321F6C188F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:08.662{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F9F8B944EA1FBDAD5AFD476352706C,SHA256=F0BC28DC889C061F30A05E7647EC7C65B5FB6EB7239B8E655FE335F3A006DCD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:08.179{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20950357BB7998F5097B836A7A533F84,SHA256=90A59212A4B4E704EBF61FC70D092DDC64E69388123E7BD3D7FC22F6B35FA076,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:05.456{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49902-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000012103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.970{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.960{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.952{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.943{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.934{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.925{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.920{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000012096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.752{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91560C2C1D3A8062B746B6071622FDC3,SHA256=1ED761DE0C49F2677689E20781971FDD5332C1A3E8FA13F2C81BBFFBFE6B4683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:09.274{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083D468F2F0AC5BF22C650CB2AD62D41,SHA256=43475EB4116DEB72DFEF8AF1A654B1722C7B45EDDC2A94A6D9B13DE5EB597471,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:06.593{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59274-false10.0.1.12-8000- 23542300x800000000000000028758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:10.366{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCECC7BCC1FF2F35BD837E02C8F396B1,SHA256=FCCC9239DB8932F80C881E30BDCF66CB2BC813A3BD031918DF4D8FD8DAB94FA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.135{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.128{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.124{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.123{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.117{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.112{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.111{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.110{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.109{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.107{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.105{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.103{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.099{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.093{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.091{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.085{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.076{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.055{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.049{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.040{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.032{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.020{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.012{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.004{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000028760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:11.470{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8BB12D867F56BFC72399D48B62F8A2,SHA256=EB952E25BD8E6715024AD5ED182950453F5F54824F4CB31400E088CE162A52DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:11.084{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5032A515E605AFCDFC1D0770D722B436,SHA256=E3EE23BB1439536EB8EB38BF6633323E898D774F7FF9070536DA9CFFAC118014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:12.895{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7291F7676362B0472CEFCF76F9A4A8F7,SHA256=1859C99691F53E04CF63D1EDF4C059603772EFB01A48153CB63E41E6C74295FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:12.567{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A6D76249AF509BB097AEB64110403A,SHA256=54322C94898E8B88F51C56268F79B32F347D086A1219410D124995C69FE74ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:12.523{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-017MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:12.161{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07137EB10D0CC58383DD0B59C0AF3823,SHA256=25CC8E8683D9ADC6DECF7D56F449EDF19AE5EA7CB54C0A414697AC49C0EA9DF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:10.275{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59275-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:10.275{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59275-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000028763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:13.649{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3812257E147F72953EE852644FEA3E5,SHA256=3BE0708C77CCCE1CB76A42C77F329BDF5B60B2929BA4D5B28A2D54CB4A050C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:13.534{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-018MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:13.267{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AFA351DB2121FCB666D695FFBD89FC,SHA256=024BF7FEDD3D00B86C050C16937F57B245819585B2CFEAEF6363C56A54E1CE92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:14.741{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8230779211376C72521F153F13A5419F,SHA256=8D26641D6A1A2F851988DE6F7D06DE7D4BAC6D2707F846E39A93B387472BC564,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:11.445{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49903-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:14.351{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7386D150DBD760B1F01CE962C6612DB,SHA256=EB9D5215855A60D52512B2DD9D70D35ED8FD2B97BBBEBEE5058F157F3485CB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:15.812{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3CBF6A322EBEAE06D6DDE5A236BF84,SHA256=8F302A81B08961BE828C788778069CBCA9F994207596A4150CF3360DF1DA4219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:15.447{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E8FB756E3EC46CC66CA4F09047283C,SHA256=CA138CD173754D0E76E4EFB810D60A13E3751C4DA67A0325A6A5B85E7A5CAD1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:16.903{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFD5CBB9D13EEEB5EEB814FDD869F4A,SHA256=E3A19AE6F8DA49B0334980684AF968923725D12979E91FAD7B960345A0E1CE12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:16.562{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7DE5C5BEB2491D9D482DA58B653599,SHA256=69835B80E0DDE96630B66EC972F4C6B254A9DE3184874A28326406C4DD4DEF8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:12.501{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59276-false10.0.1.12-8000- 23542300x800000000000000012137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:17.656{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7505D5A823C86CF5178A893EFA9D380C,SHA256=7C31B41893E86E9E431568A4619D3C8C376D0D6E0E02DDC1B1F0568D6D0DDD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:18.765{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806D9C1CD61D5FBF4A92182B124E4F3D,SHA256=3217BA174657895FC1AF7D5E0A374947DBC3E4F1E01DCD6B62A86CCF1944F182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:18.749{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:17.998{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D412073A2FE225C0B5FB17058437D461,SHA256=9A8B252650D14A2290D8058A70BCB2DBEED2608F89417B7BC716769A982AB3F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:19.867{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684BC8B03C21929F09DC1C32A4E75BAC,SHA256=833E147552FDAE8E164A367A4D9FA34FDD756EC97A90C277480A75B9631D46AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:19.086{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4850B477C5138EE115E25E3290FED91,SHA256=92FBC8DACAEDE78F136CAA12B8B4331E2FF1C08CCFABBA6567647199A8F756B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:16.489{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49904-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:20.936{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E4A9616BC2EBAE71783F7FE9C92104,SHA256=69C2D8F061FAFF971D9CF5416C034DF927723B111932A2414E882D49D5378B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:20.169{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7103BB2D77F566650296DDAC1E38BEB1,SHA256=BBB14175E171FE3ACF10CEE945E24F1BD4CB544014C694A058341D038C9B2B32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:17.735{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59277-false10.0.1.12-8000- 10341000x800000000000000028783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.582{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.582{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.582{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.582{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.579{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.579{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.578{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.578{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.575{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.575{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 23542300x800000000000000028773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.258{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0507998E2AAD67F5694D9374D7FA0D,SHA256=ECD6E8BB855A6FD7B55B61649C9B7F1154179B55DF0D9CAE8ABEAA14D451F16D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:17.130{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49905-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x800000000000000028806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.705{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.701{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.376{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.364{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.356{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.327{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F159D39C241F2C2F258139BA2D3F6DAD,SHA256=0E1293AB6278D9634ACA43AFC99FF3850C723C291528F5589337637D87C88294,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.275{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000012144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:22.026{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122AF69C419C9B7029F28DB8B10D96E4,SHA256=39A1AF1DADB9F6C2F6C31BDCCE20ADA711E576F9DBF500EC75ACC5C652E1EB1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.244{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.228{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.187{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.175{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.145{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.099{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.726{FCCA13C7-37A7-63C5-6A05-00000000AF02}37844624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.693{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AB9F479ACAB947C41E15C1BE7585B09D,SHA256=4C6C25FC08068C20445EFFCC102189B4DEDF62A9C0A511885604686947341AC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.606{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.606{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.606{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.605{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.605{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.605{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.386{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654439375126BD4670386A03DAED272F,SHA256=97F39F4801FA02C0102A3B20CF8A249740EDC79442B2E4AC511F8B5F2D88F759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:23.136{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A495678C31749CDB3632A64B464B1044,SHA256=A0B2073A81C9A0DD86AC73D2022C7BBA37E47C4F621509E5B77E030E5DF00244,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37A8-63C5-6C05-00000000AF02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-37A8-63C5-6C05-00000000AF02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37A8-63C5-6C05-00000000AF02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.854{FCCA13C7-37A8-63C5-6C05-00000000AF02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.761{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.760{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.756{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.755{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.753{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.748{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.476{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C09280213F4D8EBCAAF7D290386297,SHA256=E869B11B8500FF9B19428FE3ECDA045204862CD46CB263C635900E178365D5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:24.227{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55FFF29216F0486D2F105FD7EF44D85,SHA256=73241260D2ACF397D128931226E7DE77B3A2882DC3E77073ED5985DFD4520FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.208{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0152C3C700456A2DC20C288A311C2847,SHA256=9EAB9D1A8DE559651A048C625270F8824D47D24F240F3A34BEE785E9FF0A4F40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37A8-63C5-6B05-00000000AF02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-37A8-63C5-6B05-00000000AF02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37A8-63C5-6B05-00000000AF02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-37A8-63C5-6B05-00000000AF02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.956{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EC5941C7A513C0161AA272159CF52A,SHA256=3F30A9FA7C599ABD7D276802A73F951902853A77232FE820A00B5072F69E5896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.692{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.665{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.665{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.665{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.532{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000012148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:22.467{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49906-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:25.323{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6553A4308E7B0FF635414FACAA219FB,SHA256=55B3321836A18B33039A433F4A7BF068EE38CD51474BCEB5B4F4C2ED1B0F74C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.387{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.386{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.360{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.353{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.314{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.307{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.295{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.290{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.289{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.283{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.277{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.276{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.276{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.275{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.273{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000012149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:26.424{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DEB24CC93ABE1731564AEA28569960D,SHA256=903905A67433D19A766BD0C8E8922F3D5A27FD6514AC5F73674DEBC07723B578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.650{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3138F25E46988202FFF811ECEBE03117,SHA256=44664C154D96DC667F098DDE45B778C747805E5C31C1AFC0ACF13F1222F26338,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.542{FCCA13C7-37AA-63C5-6E05-00000000AF02}69285600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37AA-63C5-6E05-00000000AF02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-37AA-63C5-6E05-00000000AF02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37AA-63C5-6E05-00000000AF02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.386{FCCA13C7-37AA-63C5-6E05-00000000AF02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.641{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EBCC5911A35AB58493EE00332730C0,SHA256=02C99651496C0DB021768C2F9D02142C8C343C94B8437F6B9C385469A9235E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:27.530{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5560B16758BB7CB1EB8A53102EB9CD38,SHA256=4F90E440040C6C1E595A0C00F271B710BB5491AE7A2639DCB7D56F68C7AF9DF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.246{FCCA13C7-37AB-63C5-6F05-00000000AF02}24245752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37AB-63C5-6F05-00000000AF02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-37AB-63C5-6F05-00000000AF02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37AB-63C5-6F05-00000000AF02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.046{FCCA13C7-37AB-63C5-6F05-00000000AF02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:28.622{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420C0D331DEE4BC47B133CE563B63EB7,SHA256=4B3056406D7EEAAB880A393AB97F394B804D48486B32DC799837E6302431B76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:28.575{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EA5CCB323D1DC8C2A1F95B22D66DED77,SHA256=F9E2D49F9137EE08BB4E4F980D0EDDC5B4C9E70E0F732F656ADBA49D1F389A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:28.734{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C011535A9F02F86A6A184D927958CEF,SHA256=D5C41CC3EC333F4EEB3506808C1947829A716EAFC955179B3D748E50860FA2CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.609{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59278-false10.0.1.12-8000- 10341000x800000000000000012160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.973{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.964{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.953{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.944{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.937{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.929{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.926{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 23542300x800000000000000012153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.614{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA26DF8CDECAB1938B2AD72BA4C6CCE4,SHA256=DBA61B2D7257056266D8432170090935F46D715EF26A46591548A1F09BCB87FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.818{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B17060BBC6B290CEDD67892BF4B16F,SHA256=A3B525BB15136BBCB1A85B34AE25ED76E9A32C5E26D6E54907020FA622651AEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37AD-63C5-7005-00000000AF02}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-37AD-63C5-7005-00000000AF02}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37AD-63C5-7005-00000000AF02}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.062{FCCA13C7-37AD-63C5-7005-00000000AF02}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000012185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:27.617{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49907-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:30.904{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9443D1D5820AD0EB23D90863AC1377F5,SHA256=5449F4720B1D451DEE3840C10373E8CB69820CFB50F31337757FFB656B674A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.101{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.099{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.097{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.096{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.092{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.090{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.089{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.088{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.087{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.085{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.084{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.082{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.080{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.075{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.073{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.069{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.059{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.040{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.038{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.030{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.024{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.018{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.009{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.003{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 23542300x800000000000000028913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:31.988{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710AE755605EEFCEFB13D0CFD0A2EEF3,SHA256=821A76882A8D50C85A2D00A4D814D60D9FF4BFE1753F58116E03B1EDAFDAC77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:31.058{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7654A2974967357F1491878D4322018C,SHA256=78DFE1B71FA7D3131B790A3851B3F39B87ECE51C785ADF7966FB4C855A027164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:32.039{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E291BE640933BE0F4C685316991C0CD,SHA256=94BC34207D8581F958A0129994D97106B3DA75BD834AA3381C262EDF741B7471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:33.152{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB3B45628C9F9DA335F83235D48889A,SHA256=67A7A3DF91FF1DE45C1E0B8BD39D55C4E2C14723B9B410978218D9EB0581762D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:28.717{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59279-false10.0.1.12-8000- 23542300x800000000000000028914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:33.086{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B277903F89EB723296B68B556075110,SHA256=846C18A778C38DD20367F7BB1067562DC01C8F0FCA2859E30B33DD1A29179E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:34.234{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC96300D112A2FFFE3E1EF39466A5D3,SHA256=3410FF542D0CA3969D96541595480B10150398BF9387D72306461951A1E7E79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:34.166{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3E7016557447A0F36CFE54FA4DB020,SHA256=EC3AF8D51B1424BBACF3AC0BC41324CB6B2C8A7A48A991664477DEE8F2E6DA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:35.324{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1E6B41E642E8A0159762065D3A9F8F,SHA256=40936A418E425E3B6E8AA986445BCCAC11727B64DB4EA12FB59F1B3CB6A1C515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:35.273{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C43F11F3F70A1839896CFF2A6A37B0F,SHA256=2F6CF8B53F3E5C5866B27EA0775B2AC3E741EB7A0EF4EFD630097E24C23B99FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:36.416{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE5C9A2B98A47B488A04881DF340B96,SHA256=F86DCC46504387B73DE03DC8F05A2AC2BC35F6BBD6026149BB3AE38B637A8F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:36.354{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A21D926CD93054648F87446ACFA2A0,SHA256=ED34813D6B310F0BAD37E52AB9D242EC0F8CE5FE26751A43FD322A324F8CF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:37.515{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF53DDB92A214207FDD6205F491CD3D9,SHA256=4E7934CFDE061020D067EBBCC842A0F10507AF37ECEE1B1A8A2F2CB0F83E64BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:37.439{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D0CBC15383FB7BB208139333C02C62,SHA256=79BA31C2A3D0F0613E41E8B869A9177BF5A8823DF9095B145C564AF499CF1FF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:33.579{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49908-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:38.614{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFFBE81A40EDFB9D4D138A5438F0923,SHA256=8D62DE454075F100B229DE2352C0DC59E943A13C8A275305891B5F71624C56CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:38.537{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D9226DB7A32531742BD6FE0F5C78E5,SHA256=BBDB55497C51B37218F49FC360342DED3B0929B7EFBFE4B693195552666678A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:34.583{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59280-false10.0.1.12-8000- 23542300x800000000000000012195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:39.706{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DBBFA2DB25E3C4CB9179D4C028093C,SHA256=E7303196AB7F7955485123DEBB8E7969804C4780EC377A5445E30605264D8A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:39.623{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8550BCE61D8E284E023D72D15203CF6B,SHA256=B515921551502D6FC9D5372118649B1FDBC0472DC8C08F9CA80CC847107A9EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:40.810{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD3046E7964EB485FA290DDD7E6F9D3,SHA256=3DE246184D9A3C30B9AF87D2E21B466EA3E256484512BBAEDCDE043C57EAD523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:40.945{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-027MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:40.718{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E450FB13768534CF8F053076A895B01,SHA256=ACE9A365B98E49CA27C6900AA3D94BC6741D633AFB75FFFEA3536F13C74593A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:41.902{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD145C5E29EA068799B00E340A1A070,SHA256=62308FBD60A2F9596982D94A45A05A7D313CBD9DFAEF3C05E7DD5BF3234AAA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:41.943{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:41.816{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCC178A280FB7650851A795F56A35B0,SHA256=DA0A5057EB58612928E50E556061C6B7AEA703B9850A62EAE995C58E7206294A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.858{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3315D604FCEDA283A6D821B217382CB0,SHA256=E1E6F054B96103B9141F335C840E80D6EEA029833FEDA857121D40C25CFA0BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.799{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.793{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.389{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.377{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.365{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.359{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.356{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.355{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.301{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.296{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.276{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.252{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.199{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.184{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.150{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.140{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.098{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:43.971{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA71C7F9C8951278A19074B34EFD8C9,SHA256=3A359E9C7F7977D02F16F58BD9818BFAC01FE9A41ABB346DF6D8335E75F31CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:43.909{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A94DA1488268529A2AB148B64357E5A8,SHA256=1A7ADB05A74ABC2D63DC8BC91900A451F2BD3056187FC5585118656C0121706C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:43.737{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6D35657FC09C27E780CB16409B5D04A3,SHA256=F54DEBEFF49C43EC23B9DDA390A57EE1F6CD9DEE7C0DB3E9A4DF3A9AAEEB24DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:39.571{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49909-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:43.002{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6886B622C3CD319CFD9A971EC7F3C591,SHA256=77D9CE990BCB1B01AFEF4EB7508830BCF632858E7F9364E3288BF82C3306FAFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:39.622{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59281-false10.0.1.12-8000- 23542300x800000000000000028958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.951{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376F5F47455B7E60F5D3DBE3839DFA1E,SHA256=4A8C1DC67F47BB4480A201B4E2740031F6C81BA710260FDFF08DEFEB31C6CA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:44.103{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF4FA67A20B7626DD8DC26845D00037,SHA256=CCACABB3F88D098465EF56462858469C3FD7CF1A6F4997B307A767C8D35B47BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.829{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.828{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.824{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.822{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.820{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.815{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000012202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:45.200{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7FAAE9A8277DE476311F99C3F24D1D,SHA256=B8C1B90830DB335E71ACA291222DD968D42BBB943013067833D959675A46145D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.497{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.495{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.458{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.449{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.431{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.427{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.392{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.384{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.367{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.360{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.358{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.355{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.352{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.351{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.344{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.342{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.340{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000012203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:46.300{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206AE95CED7052B1F591BC07B60292FB,SHA256=E869A7005A6E0585CF3BBC28A167CD70ECB7B9F097DC0AA0859D1FD9FA65997A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:46.023{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57C0E67724F990E3B69BD99188799C3,SHA256=C86D4DDC6639897B79AD716B8F031EA1FAB10589F6F0CBD1DA40C77E78570900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:47.391{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54819127F4E405230843DC008588481E,SHA256=F5BD8FFEC0DC7B6BE3F94C721F1FC5C31016A0EB9F0013FBF5D5B5BADA06BA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:47.120{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2C3C2965C3D36117BE25EF17AA769B,SHA256=F72D72905E8D919D8EAD77A204F317FAA6EDDCBEB171D09D63816CB8B55D39CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:48.478{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83933DA8759308D74833D843974B1069,SHA256=D1D17BB8374FE51C0F2AE1E15A050D587344D325F25423BF47A76A8D23D90A6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:45.474{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49910-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:48.210{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9037146ED06995CDB33A5F65FF567ECB,SHA256=BB39294E45DCAAF20503B5248980EBDFBA562DB78155DF53E0A74D4B9D57ABA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.992{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.982{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.970{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.964{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.946{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.942{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.939{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000012207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.560{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0FF437F29779245EEE818D45CE2832,SHA256=2437AC7DDFE8878E5CD682D0C3162E9FF90E6F0A2B5FF5B7F2DBFF5864B1F4E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.583{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59282-false10.0.1.12-8000- 23542300x800000000000000028982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:49.299{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65CC14C2BC5768C84B4AE9D3C7C952A,SHA256=7F73BA4ED9079F4AD9A92B052B87A3A0FCC0DDEB07CFF62E581530EB693A835B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:50.394{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FC6A27527A2992782FDF9144D37270,SHA256=2900901CDBBC139C27733A913609E07F156E71E5F38AC01EE01554D4C6DB7F81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.143{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.141{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.139{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.138{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.133{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.131{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.130{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.129{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.129{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.126{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.125{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.124{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.122{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.117{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.115{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.109{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.103{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.086{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.083{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.075{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.068{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.059{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.047{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.035{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000028986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:51.489{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=345463C02B5B7D6B60F53FBB6628892A,SHA256=E73A873ECBA5394CE6812819BA19F82614B193ED17D95DE2FDCA055D63650B59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:51.489{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D4054446A013FB77AC243D3A24CDDB,SHA256=7F72B524E1BF164AB99B5CA5B76963102450275B6A9A7E7049EDEE48829E34C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:51.043{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6177C81C768B30EF98D4FACB6ACB1354,SHA256=8CECC24A0B386764AC61EF2CC4A1CF9687D79EBBC629109823568E12B72B0780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:52.586{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263DC5263A466CDDAC9024AA1519AAD0,SHA256=3734DA361713A57E704BBFC9F1579661579D1B2B3297DE14403D196E352A8CA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:52.916{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:52.916{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:52.916{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:52.900{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000012240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:52.181{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E0EB2360A1F65F99CA634B2F9A0735,SHA256=BB6BDE8E22935EE78DF3AA24D8132DDE6F7B77D37C9ADD013938CD69F7DB8E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:53.699{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E99637EADB7C74F76D159D7B60A38E5,SHA256=4BA33411FBE323E5A2EC72EBD8FBACD25E6900E8ADBDF37035BF8946D94BE0B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.623{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49911-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:53.277{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF1F28F64B395EB3EB7E9EDD424960A,SHA256=A937F52186BDBCB02FE14C40E352858AB14D3CE61F29E0F805842C22F0B3968F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:50.598{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59283-false10.0.1.12-8000- 23542300x800000000000000028991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:54.787{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AE6AB740DCFEB2074F023E53393268,SHA256=E50BD3778F37B3642DF4F4BCEA9AB34EC1521BC944459EB92354FFAACD2326DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:54.383{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7E6F4CB4837517568587E879DF9BEA,SHA256=AE216BEDAA163635A3F5E677741430236E261DBCCB5429992EE1D4632211014D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:54.336{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AA9283FC009E52058D56024DF0CC0DF4,SHA256=A6D6A985F320203CF1CFDAD4287CD40587E8A8718081AC618A650B1A025AF66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:55.875{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C032C77AB79ADD373FA88431121310,SHA256=8A2FB7439AE1E1EEA7C4A9DC42F991592A89938FAB599003DC7FFE3B203F8CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:55.471{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0275212D2020F7F891B2142E921D84A9,SHA256=83AEEA9781C26850F1E826F51D52D6560B6BD8E8583A2B81568663A50C201849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:56.966{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CBE93E0256B3A0B5F49F07F4E4D34D,SHA256=0F2D1E857B8DF1CC3F425F4B49C5DEE17243F2EEDD9974D10C11F8704C816F59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.824{312A7A06-37C8-63C5-9801-00000000B002}23962408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37C8-63C5-9801-00000000B002}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-37C8-63C5-9801-00000000B002}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37C8-63C5-9801-00000000B002}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.638{312A7A06-37C8-63C5-9801-00000000B002}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.574{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22CB78F4DF1E5D9E0306A3C867B10833,SHA256=0B0630B07D978C931D3324F6253CED1E10A8F029D1FACC084B40657FA2BBC676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.355{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9ED556CCDFF12CF75401D85A2B84A3C2,SHA256=791C0335D89F00ADAB4945513302798919375F141344632EC47ED16A6856B655,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.281{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.281{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.281{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.124{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.808{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E0821748BF9907C72EDA0A4601C1E1,SHA256=6C31E263A3BE8B14FA11E94B0EE2A80C8262D89A9223547E08BBBE6F0B1CFCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:57.453{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.255{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37C9-63C5-9901-00000000B002}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.254{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.254{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.254{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-37C9-63C5-9901-00000000B002}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37C9-63C5-9901-00000000B002}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-37C9-63C5-9901-00000000B002}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.236{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15799D9DD618B104D5A7035B1E64A1FF,SHA256=FCC57FAFA187EC7D91DBBD547A10C9600E659F28AA82695DD8304A92D0328EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.893{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8897F84E3B02E3BC66AA69655CA0C7DC,SHA256=90813D76C2079A5FFFBF8CF4C1007179B1B077857538DD5576357CE5A764B213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37CA-63C5-9A01-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-37CA-63C5-9A01-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37CA-63C5-9A01-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.847{312A7A06-37CA-63C5-9A01-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:58.064{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AB353669D50B31415FD86ED3A821B7,SHA256=2BC6CA5F14926A4DA720A3EDEC77C71AF6ABDDA0D4A02D0FD535AD1B350225B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.534{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=116FA34C8A472504A94783A69EA6B520,SHA256=D0BADB3BCAC0563720BB8C550B9195F668C04ADE158130659F8371A5754FEFE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.847{312A7A06-37CB-63C5-9B01-00000000B002}5803960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:56.604{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59285-false10.0.1.12-8000- 354300x800000000000000028997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:55.932{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59284-false10.0.1.12-8089- 23542300x800000000000000028996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:59.159{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBEF707C3734B9CA350CFB6CD670B57,SHA256=EB091162DA46890DC486A6CD0D290A4D12F846D47DAE62E0F023C6E6E5F8A420,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.568{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49912-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000012324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37CB-63C5-9B01-00000000B002}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-37CB-63C5-9B01-00000000B002}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37CB-63C5-9B01-00000000B002}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-37CB-63C5-9B01-00000000B002}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.002{312A7A06-37CA-63C5-9A01-00000000B002}39561072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000012348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.865{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00803C0A0B1FE0103D8B1A8009B7BF2,SHA256=FBD5E2A64F4E380B00B0523938E2AAC34DFDFB0D559F2F82288A99B25000310A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:00.259{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DF77366532FF0A0FF42642E3469CA0,SHA256=98D45D18EBD4F492DC9DF0A6E36E18032CD59AFC971F10AA1FBE29576CF1BA9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.374{312A7A06-37CC-63C5-9C01-00000000B002}33122748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.352{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.352{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.352{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.351{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.351{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.351{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.215{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A192C7A51923AD765401291CD7D126,SHA256=36247CFCC50087F5D67B3FCCD90D2FBC27A618E28D49F1E0FB9CE08986C8FBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.969{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B62A8174D748720E0A998C2BA2BC40,SHA256=BD51AE065DE9270449C7E90E5645054709D05A3A8087AAB539A28B69E3552C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:01.349{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3C8641CDA21FE1342C831FAF5E61FC,SHA256=0DB90C313A3930F42B0AC576A93A2F1E382A7DD1E74D1D64AF058619BF7D53DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.340{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37CD-63C5-9D01-00000000B002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.337{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-37CD-63C5-9D01-00000000B002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.337{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37CD-63C5-9D01-00000000B002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.337{312A7A06-37CD-63C5-9D01-00000000B002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.837{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.831{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000029020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.417{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED9A1560D882403CDA17CC7FFCEF777,SHA256=B7DD88F3E0BB64D80A1DE1AC8F257B4A46A702ED930AC2D42A12B50C2DA12747,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.393{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.381{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.370{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.366{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.364{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.361{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000012363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:02.388{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF02D69DED69D9F8B56394713814397E,SHA256=BB321F9EB8615D8220A54BE819EB2D56B6F00DD6897A529CCB0C150F0BC30378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.315{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.306{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.275{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.269{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.232{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.222{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.205{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.197{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.118{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000029001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.112{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 23542300x800000000000000029023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:03.569{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D238F7F54F4FFA60B1A80D3DC92FBBF7,SHA256=21F4933BE0E0A0D94E4AD27387DFA18A1E7E52C8F8FF3B7032E8CC0489B98E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:03.049{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA9BFC797277279C5CE03941A954020,SHA256=E63C7CAAFBD8B10153986FFBCA3C55F435719CA5615880E2E032BCB5BDFBA69B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.883{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.881{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.876{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.874{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.872{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.865{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000029028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.662{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BB4B9B5CA46F0EB65AC3D786F97FC7,SHA256=1E6614F13853635762B1716540DE6E5942D851B238D7F0DD7C8E00AF4A0A80C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.615{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49913-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:04.135{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549F8E47F0A46F13F64B86EE3612B41A,SHA256=710394B7BCB40BD098DC3A66B7A810AA69BDCDCEC0CB57BA3217F806EDBD4D62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.516{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.516{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.516{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.501{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.725{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98EC055A3755DE3E4E14A230D99179C,SHA256=48D2CEEE93270BFA1D38AA0AEC11D7303BE51D33B5C07A1A82DDD5B48F3F722D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:05.218{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756863B1A8CACF7ED06D6BD8C7BE415A,SHA256=259739D04A927CF314E5A30D05C6B2210A946E4407DC647A76780A0E0D7C990F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.534{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.533{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.510{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.503{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.487{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.484{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.446{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.435{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.419{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.414{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.412{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.409{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.405{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.404{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.400{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.396{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.395{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.394{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.393{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.389{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000029057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:06.809{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF93C53D0C3A032FD99FD618CB3CB8CE,SHA256=F9E1181F1B833A544AA70399BA49AB35B682F473B815E06AA35523B24C397D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:06.316{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637D9F799DA9BA16A0B09B83466D5CD4,SHA256=70C2959B0D4D68542154445F24A70DE464FD5EF3F516CEF1F89485BEECC8DC47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.536{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59286-false10.0.1.12-8000- 23542300x800000000000000029058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:07.903{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93A9174593DC41BFEFFECBB851E95EB,SHA256=1E98F853EE4A02947DE14D83E1FF933222D0B3BC33CB843B4E0615387F7725A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:07.409{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC7A7C2B1757A2EC557C27A724B6D59,SHA256=DA713630AE3495984830921ED079ECB79A57B7954F9541D143E8842DFDFDC8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:08.496{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C41CC1A86EF8084C6E3E9F40B94863,SHA256=EEBFD10122B7D2F5701192785F24C0FD7B3A33DCDD42D491CB63C47CAA43C8A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.999{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.994{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.988{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.982{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.977{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.954{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.949{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.942{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.936{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.930{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.925{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.923{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000012371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.590{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA21A0303C9082B58E09805F1AA9460E,SHA256=6CA2AD74F65CBCCC22F5F32CC36C00F872E7532477F104B311A129136A461AC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:09.695{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:08.999{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409CE5943B40289E95EAF9DE054A5B5B,SHA256=DA0B88D4BD5EE1534A7DA7C8D904A58CC58D12EE9846A15FADED671B45105FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.858{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95ECB437316705CAFF88479F29D0E86,SHA256=4013C21E497BB9F3EADFF2D562C0DBF3CB366ECE4ABB75E48CAD1914164407BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:07.666{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59287-false10.0.1.12-8000- 23542300x800000000000000029107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:10.433{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558598FE174931CE01442B47079AE23B,SHA256=965E933555D7F3BDD826F1522E9038E6A3AE28F87DAC61E1EB185C7478AF10D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.058{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.056{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.054{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.053{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.050{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.048{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.047{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.046{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.046{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.044{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.043{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.041{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.039{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.034{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.032{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.027{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.020{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.008{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:10.006{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000012405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:11.982{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42866DEB66EBE066ABA3298EC3D45FB,SHA256=7C7674D9B6958AF3237E8F1EE4BCDA694302509F0EC3D80CEADC542D774C225F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:11.536{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081EB5ACE047CBC804538545A359EFCA,SHA256=C7585CAE707E4FB9E90D727847316D792A9AC4ECBC0824B27D65089BEC46936D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:07.641{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49914-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:12.916{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F64D737A00954BCC36A4F1CE762B0A0F,SHA256=DA70BF61BCC601646985DA01068DCBEB6400A4C88142AC454E3379EB40359725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:12.619{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B03A0FDF7F28A6FF5FFF353A09DB9F0,SHA256=34334487527C46B606592B9B4D188A8BEBC121F0953CCE50755856B9FEC5D648,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:10.282{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59288-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000029113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:10.282{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59288-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000029112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:13.699{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4757C7740F1EF7B15968F0A1758F6F,SHA256=CD237D487D3F2B8D6193C7EEA65E3972A3674F617452A3363D879190CF062235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:13.096{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A476BBB4B1BC104CC13B8644ABB188AA,SHA256=AC5DDBFF2328ECCAC761C5923CD54CA7007C81324D39F1C2A5C8786657CF69DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:14.790{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7EA0EB34261FCA11603E72B2527F11A,SHA256=714CBAF8239FC6BD821D034A5E71EC8FDCB00AB7AABACAB3F2C4C7F0C844D4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:14.166{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B4250FA31FDA3381F5FB96A6C42EB1,SHA256=548BB3B193FD4FC1F03EE53C3D2EAF374C94BD84F228C36D0024B3176600D9DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:14.056{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-018MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:15.905{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB8738A0B65AEFA6B4FEB7CFD9B5EAE,SHA256=6CE90A9B9979862883E1DBBBEC7331C4687050E9EE360E76A00E40CEDDE352FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:15.266{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4561D4B9496C9B36AF89F648A5D31BE,SHA256=D901DFA210DDFAFFC3A982AAFE1A19150D32025ADC98D0BC80ABAAF06797090E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:15.055{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-019MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:13.582{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49915-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:16.369{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8182829181CF34496148E705C948B6,SHA256=36F0DA84A67113AC144B70B5A14A57820A85E5246D40EA88824FB22B7CA4855D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:17.457{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CC9F957FF1DEE27322FD88D8F5B961,SHA256=231CE3AF7959B83F12A0D78FF0F8374AB36B11D8746ADF1FB9F120CB722E434B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:13.567{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59289-false10.0.1.12-8000- 23542300x800000000000000029117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:17.014{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3335A4CDDE2352B1C5A330B5FA2ABAA6,SHA256=134689C674E421DA938C464CE73B0C88D5EDD76224034FD607AD66C6F616A564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:18.770{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:18.550{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48192BD182C102E837742335C39E5254,SHA256=A864FAFCF51679EB876E7CC29163C95CD53352E17EF99652281B091DA1A6586E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:18.126{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5FF0B2198D80C2A8BDEF07E272654B1,SHA256=28E5280FB859652EE129B1D4402CB4555AD571C7181D50AE774E9F86E979EEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:19.634{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A344F96ECD0F7B4140F137203A9B25,SHA256=7FD796825B0FDF58C7175DFB8119E9FE27D2CB02FD7ACE433CC7B8DE157BD795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:19.227{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5144C3CD6E0DD812920592825491D3,SHA256=92C5557751773F0A1F86801ECE92DFD361A9ABDAEB39AF6532C12A46C01FEAC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:17.135{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49916-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000012417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:20.714{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CB31F1CFE81FCF8E2CC3CD89122909,SHA256=A5843107F285E7DCA3D954248127F86FF6A709701AB2D91FFE2F6CA4E1CC3398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:20.322{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8077770040BE57B207F35E254DE298E,SHA256=A34675042F46AEB227F3FF08D1558963FDEA7C0D2DB5B8F6D7DB278C2DCD0729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:21.798{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19ECF513B4215990EF3F954A4D160A8,SHA256=895A0CA7EBEF992C165F8B420C382A76A8683D30504673EB8B83AA8B48C6E56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:21.417{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16389B7D60E312F1AF93A08F81C5AAD,SHA256=78EAD561077CE59CADECD34FB9EEB423DA6AF71DEE7F421B2CFEA4C53B787D1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:19.506{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49917-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:22.903{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6324ECC23A0DB131145AC37D1FB77C61,SHA256=138285094B41CA09057316BF4EC1B821EFBE5AA0D7878F90F059980E6B5E13A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.638{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.634{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 23542300x800000000000000029143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.482{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465380DEAEF8A0098D8CCFE1B5565354,SHA256=A1BC476F8D654277F59B8F28DCA849A41973DA0AA3FA28CE87CC0B6CDFA70385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.321{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.310{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.297{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.292{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.289{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.257{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.251{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.235{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.227{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.217{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.186{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.166{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.158{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.148{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.140{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.097{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:22.094{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 354300x800000000000000029123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:18.723{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59290-false10.0.1.12-8000- 23542300x800000000000000012422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:23.991{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA92C467A1227CA13529BA4BEE4FF93,SHA256=4E5682D55FA312029861B22237E56A0ACD5418EAD7E4F2B18D9FD9EE22DF8802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:23.663{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5063FC4D87E19E2BF273FEACB8AD33,SHA256=BF2D6763B82629B8116C5CDD49F28CDDBA1AD4CF7C9AD7A47C7E26F840A4AD5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:23.551{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37E3-63C5-7105-00000000AF02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:23.551{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:23.551{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:23.551{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:23.551{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:23.551{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-37E3-63C5-7105-00000000AF02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:23.551{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37E3-63C5-7105-00000000AF02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:23.552{FCCA13C7-37E3-63C5-7105-00000000AF02}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.854{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37E4-63C5-7305-00000000AF02}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.854{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.854{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.854{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.854{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.854{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-37E4-63C5-7305-00000000AF02}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.854{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37E4-63C5-7305-00000000AF02}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.856{FCCA13C7-37E4-63C5-7305-00000000AF02}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.745{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A8D09A88085A67FCADD376935BE742,SHA256=E965927D2376D12A677C875F58EAAFB7034D12ADE0B2331DC4A671DC1AAB46CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.711{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=16FEFC36DEEBF8EF1429E404084446C5,SHA256=C0A326559DD6D30B3CF36887C5BCE50AD09F5CAEC6C24780C548B34206F250B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.701{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.698{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.692{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.690{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.688{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.682{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 23542300x800000000000000029164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.436{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=55D08FC9E58CA35DB83F08A02E4058D8,SHA256=89565A03DB9E6F1EE47E167ADEFBCB786F05B34BD69655101096A661D0ED3306,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.361{FCCA13C7-37E4-63C5-7205-00000000AF02}55924692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.178{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37E4-63C5-7205-00000000AF02}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.178{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.178{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.178{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.178{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.178{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-37E4-63C5-7205-00000000AF02}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.178{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37E4-63C5-7205-00000000AF02}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.178{FCCA13C7-37E4-63C5-7205-00000000AF02}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:25.091{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20907D655B8C08251E6CE022909F3D9,SHA256=AC53DDD7ECB3477C5EB085B24D7905160106F7689E99ABC9123CE69932DB2982,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.626{FCCA13C7-37E5-63C5-7405-00000000AF02}30642384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.459{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37E5-63C5-7405-00000000AF02}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.459{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.459{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.459{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.459{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.459{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-37E5-63C5-7405-00000000AF02}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.459{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37E5-63C5-7405-00000000AF02}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.460{FCCA13C7-37E5-63C5-7405-00000000AF02}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.330{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.329{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.306{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.299{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.283{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.253{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.241{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.236{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.234{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.231{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.229{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.228{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.225{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.222{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.221{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.220{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.219{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000029181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:25.217{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 23542300x800000000000000012424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:26.200{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA1386764777C27F146BAB3DF2A7E7A,SHA256=7FAD617F4028A81E626B6FE69C5960741E2F47664D4530412E16AF99FE098A05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:26.549{FCCA13C7-37E6-63C5-7505-00000000AF02}65285452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:26.387{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37E6-63C5-7505-00000000AF02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:26.385{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:26.385{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:26.384{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:26.384{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:26.384{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-37E6-63C5-7505-00000000AF02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:26.384{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37E6-63C5-7505-00000000AF02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:26.384{FCCA13C7-37E6-63C5-7505-00000000AF02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:26.055{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F74FB11CA6C0A48CB80F54D4055F23E,SHA256=BEAE11E2FD63E114FABAA8F74A471152DC2A9DFD50CA45083933FE2980A54EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:27.729{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8C9278B8EAC3B66E30C6787BD982048C,SHA256=91BA8F64DBF3917EE2E20F1BCD592C9014FFF8E54A6A7CAE8052231DCF69BA57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:27.292{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5AD5643603A0258ABAE672778AAC7A,SHA256=E3C91E22D83224ACB00B6F35D9CEF04BAD9A2B0DAC1C0A933F3E71B1F4E5C0EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:27.259{FCCA13C7-37E7-63C5-7605-00000000AF02}40081640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:27.118{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34176A327D54B6D824D56699A6EA3C5A,SHA256=C26827A20A6BD5338382C1E68D7BE5A54520C14962ABA9AD19F177C0E2423A63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:27.058{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37E7-63C5-7605-00000000AF02}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:27.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:27.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:27.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:27.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:27.058{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-37E7-63C5-7605-00000000AF02}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:27.058{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37E7-63C5-7605-00000000AF02}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:27.059{FCCA13C7-37E7-63C5-7605-00000000AF02}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:28.396{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=893265A7EF14A04BF2A4785391B63893,SHA256=75F668EB2F8DFF7B3B411704AE3874BB0CDB664EC6ECB04C192C257C1A3A845F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:28.204{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D30BC46B09DC4FCB5DDF0D1F13DD8C,SHA256=6300089F633667FAE13F0B56DBE0BDE01D58281ED2E815B422B5D7347D9D1E7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:24.625{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49918-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000012439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:29.998{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:29.991{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:29.985{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:29.959{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:29.953{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:29.945{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:29.936{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:29.927{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:29.920{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:29.917{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 23542300x800000000000000012429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:29.482{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81144B30A0728882F82E4E15BDC8C00,SHA256=116756BC2D9EF4C8C4A9577C72A028AB5785BC147009A11487F050D968D42503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:29.305{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B22F3BB9C6C43F7AAD1A01F83693025,SHA256=A6254C2BA13D674C8D5116909BEBA286F1993C035AC4F1D14730D61D9766CF32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:24.648{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59291-false10.0.1.12-8000- 10341000x800000000000000029238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:29.070{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37E9-63C5-7705-00000000AF02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:29.070{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:29.070{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:29.070{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:29.070{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:29.070{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-37E9-63C5-7705-00000000AF02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:29.070{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37E9-63C5-7705-00000000AF02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:29.071{FCCA13C7-37E9-63C5-7705-00000000AF02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.933{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B17A64E78DE3B35102EB78107795EC3,SHA256=985906665CAD3859F316AB7C4A36C94F8E520E0FC5CFF511D6FF68214AE2631F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:30.306{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8E61E619B9838019954B3138ADF7B2,SHA256=ED628BB0411D30793E9D76048F6BE44EE7FFEEC9614FFFC2C54D7B36A5DAC7CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.085{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.082{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.080{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.079{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.075{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.073{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.072{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.071{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.070{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.067{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.066{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.064{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.060{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.054{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.051{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.045{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.038{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.023{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.021{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.012{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.006{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 23542300x800000000000000012462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:31.977{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEBC7C099D2C3E1A0E8CAF4A03E8612,SHA256=5FCA2A4A6C28C73DB32AF377D57C994B7A8BD2F04557D0B7109658B631062E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:31.406{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA2AF8CA7187D840575189F937CAFAE,SHA256=A6DC9BA138E14573F961821928070750FBF8E83CB54F1CE841A875DFFE827A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:32.475{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3BC9893EAB03953AF4FF52304FF086,SHA256=2211206420F5E570A817A3513208179D1CAC1887F2991FB2639A37C0A9EFCAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:33.554{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166186A2A4ED534F2541C5728E8FA003,SHA256=EE6A35D90DD857C0DD61C8B340E4486C85D9C17DB76EC21A32E415B52ADABBD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:33.076{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5CD69C407DF6649BC25D872155D417,SHA256=FB47409AB970511DC8FD84EE246D571030DEA755E51F1E8E31BC33ED3D8F4BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:34.651{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DF85BC2614AE73DA6F4A30CAE12112,SHA256=6F2B7A49A393CC7B2BC2FEF53304DAA6612EE78C9D85F56148FD3EF2C429D576,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:30.578{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49919-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:34.169{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D5F3FC380C0A747E6937AE4198AD68,SHA256=85D01AD4B2766CEDF2D384DEF740503AB615E002124AA84113B6D900A7A7DB0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:30.544{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59292-false10.0.1.12-8000- 23542300x800000000000000029247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:35.731{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6A574BC103491141866B3DC529220C,SHA256=5CB329B395A099E130B80A380BCD8600E80F72BC3461B94F312E6E244AE0DB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:35.253{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17F860BE3ED51BB10ADA0A783C4EDE8,SHA256=ADB930446DEF474888BEF70825C7BC1CE7B8C39809EC1E4BF4189EC49974B4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:36.794{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6671F60AFE74AE4C8FE78E3A26C684,SHA256=F54D245DB033F9C8799A78D3274D617A2919E91DC485F13F3FC4163DA8632BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:36.350{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7532AABB4C718C525AFA8C67B270010,SHA256=2DABA699DCE774D37D3B446CECF56E2E4B6F5C7917E2BC593AC42FDA084CE915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:37.882{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A83C05A7C2D09F4A404CE4D1A11B385,SHA256=6009EE40D3624BD34076F2CE939FE1EF20133759D011A605295957A59F5D92A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:37.442{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C3B24A22A8E1D449539DA078437FB6,SHA256=E75D4E4BA642A282073A45AC15FF9CDF2A081A839917204CD04CE5A574292C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:38.977{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C97DEC08CAB18201994CF715257AE8,SHA256=67C11F2117EE6328B8A11F762421EED3EA0E4D6924BFE388CB54D7C10EC13096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:38.523{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C656A96D682317BA345C48B912EFB0,SHA256=4D4E06BD9B88DEE9F4D51F794C30DE35A133DAD143F09214635374E215128D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:39.607{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75187825E6EE2B7D0A019E4D729E0F34,SHA256=EEB08E9575DF69162D048D2899670F758A95E1260246977E4C9ED6ABFC4360F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:35.618{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59293-false10.0.1.12-8000- 354300x800000000000000012470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:36.479{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49920-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:40.697{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C74BB0FB16D0EA0565385FACA25B10,SHA256=41BF0DE584C03877C7D5639D57BDC3E26D6513FE26A2F8F668A495D157422F99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:40.084{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FAAFAEC6F7DAB28326737A428B3638,SHA256=4156BC4BC24EC3EC28DE9F122B9363CA532E15F073229DE07FD80F3F0DE500A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:41.791{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7ABD4DE6C84A88AF39BB8F95352F375,SHA256=2697E54E075F7D436E1DD93C23E05334950D0A80ACCE3D6CEC381726565B4266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:41.168{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD7EC455B3D5C62C169C4D79AC736F5,SHA256=4B6A6D625F1C3EE42824750C80F92EB27DB41C4600FBDF3698B2A56FFE09C06B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:42.887{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2AD9202F2B038FF1D58985D1273E82,SHA256=C62BFC56AA4E9909CE386CE9AF4540C9806B95A02B5B7BCACF2F30DF0F57D84A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.738{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.733{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000029274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.447{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-028MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.318{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.304{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.295{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.290{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000029267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.248{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED40C571EE51321DF80D022E11F69A5,SHA256=AA1484A7C80734F11914F90F0521DE8FC98BF2FB582524142C903E5E2D684CB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.245{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.236{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.218{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.212{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.206{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.168{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.152{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.146{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.137{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.130{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.093{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.091{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000012476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:43.988{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F6DFB5156F42A032A2F72C737DCC2D,SHA256=3C3C0C9F61463A8F1B2BFA3ECAA22B3E7CF47CBF5017BB9C04D8EC673C05A416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:43.908{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=85351F4A12059B299E16D5168CA8867E,SHA256=A40C4CED4BA006D53C6036A6AAD3763DAFBF2384C9A37BCA7CF3AAE8C282CF13,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000029291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000029290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\AddressTypeDWORD (0x00000000) 13241300x800000000000000029289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\LeaseTerminatesTimeDWORD (0x63c54607) 13241300x800000000000000029288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\T2DWORD (0x63c54445) 13241300x800000000000000029287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\T1DWORD (0x63c53eff) 13241300x800000000000000029286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\LeaseObtainedTimeDWORD (0x63c537f7) 13241300x800000000000000029285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\LeaseDWORD (0x00000e10) 13241300x800000000000000029284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\DhcpServer10.0.1.1 13241300x800000000000000029283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\DhcpSubnetMask255.255.255.0 13241300x800000000000000029282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\DhcpIPAddress10.0.1.14 13241300x800000000000000029281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:43.786{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7dcbaa14-871e-49fc-ad8d-7d6afe58ab5a}\DhcpInterfaceOptionsBinary Data 10341000x800000000000000029280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:43.770{FCCA13C7-30EE-63C5-1600-00000000AF02}12927080C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:43.770{FCCA13C7-30EE-63C5-1600-00000000AF02}12927080C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:43.458{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:43.301{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23A9B65194CA488FF051D09CD96FBE0,SHA256=84811487085A8293A616BEC6428A2F59DD2C373535E9F9F83F829850AC9917FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:43.754{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=28F88200D38BEFE6D713EF03705AB636,SHA256=1D149AA2592B5BBF4E0CEAFEEDEA93BD82B177C0A74BF6701A750D6CAC49C8E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.805{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.804{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.796{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.796{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.795{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.794{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.790{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.784{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 354300x800000000000000029296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:41.519{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59294-false10.0.1.12-8000- 13241300x800000000000000029295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:44.423{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9299f-0x8226748b) 23542300x800000000000000029294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.392{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F921E651AEC8F7CF20D45AD3F23340,SHA256=6545AABE3539FAEEAA2BBA374682BB340419A82D0C1D4E6085A9DE5B8086BF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.848{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=633950AEC18FB29D663465177C99FFDF,SHA256=260321DE959B27FFFB4EE3D59E19E6987EA82E3916D7C92357B0AD9043CE0268,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000029339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000029338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000029337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\FlagsDWORD (0x00000002) 13241300x800000000000000029336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\TtlDWORD (0x000004b0) 13241300x800000000000000029335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\SentPriUpdateToIpBinary Data 13241300x800000000000000029334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\SentUpdateToIpBinary Data 13241300x800000000000000029333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\DnsServersBinary Data 13241300x800000000000000029332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\HostAddrsBinary Data 13241300x800000000000000029331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\PrimaryDomainNameattackrange.local 13241300x800000000000000029330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\AdapterDomainName(Empty) 13241300x800000000000000029329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.817{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\Hostnamewin-dc-ctus-attack-range-221 10341000x800000000000000029328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.801{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+32ce5|C:\Windows\system32\lsasrv.dll+30b6b|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x800000000000000029327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:41:45.801{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}\RegisteredSinceBootDWORD (0x00000001) 23542300x800000000000000029326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.499{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195865B818B0947F9A483E0D5DFB7BC9,SHA256=4ED8DE1F219942F46978F6942A92AE880688725151FB95C8224CC2EF271958F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.478{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.477{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.437{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.424{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.407{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.404{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 354300x800000000000000012478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:41.625{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49921-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:45.077{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51AC2037F3ABEF06EC984925971A3B1,SHA256=94FEF97C75445D6AE6122C5C2E2FB13A9F5825AB9BD3E6CF2325DBDED8467388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.372{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.363{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.336{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.334{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.326{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.325{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.320{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.317{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.315{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.314{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.313{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:45.311{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 354300x800000000000000029305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:42.267{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 23542300x800000000000000029342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:46.482{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9558DB406D5C8A53040AD9A8C9340903,SHA256=89FD9A08441363337ED8ED0CCB0D0C79558701BAD0D06CFDB79C186FDF7C3560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:46.178{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6DCE3C3E897A6BBBBDFE9CE5385694,SHA256=5C9C4CBDDB1CBFBC0F3F6CE96F4D4567E33CD3557B9921EC04EE073D4F000DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:47.275{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B0F9D5D4560994E32A9EEDD9AEA2CB,SHA256=445BBE1A51322972949F087BA21DE85FDE70E632AACA2116CAE064203D8548A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:47.566{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF74EBA6934A241C951035F54F9423E2,SHA256=3460317856C89D133949EBB39A362E7AB279F07D762E41A61E6CD996E9454969,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.300{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local61088- 354300x800000000000000029352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.298{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local51180- 354300x800000000000000029351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.297{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local50102- 354300x800000000000000029350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.297{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local57666- 354300x800000000000000029349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.292{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56779-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000029348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.292{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56779-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000029347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.289{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56778-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local53domain 354300x800000000000000029346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.289{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56778-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local53domain 354300x800000000000000029345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.287{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56808-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local53domain 354300x800000000000000029344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:44.286{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local58662- 354300x800000000000000029343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:43.728{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local57679- 23542300x800000000000000012481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:48.366{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E5C3578DD8863278E9CE861DEFFA73,SHA256=E668AFF7CBA3728300BCDD52ACFA419343EE2C3FDCF021840AF0BCABD45213AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:48.660{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C34770469DFAE32761D8F714D8EA04,SHA256=980C40EF87965142B93DAA47B56B867D950D1A806D62DEB67C642D341E49AD67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:49.978{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:49.973{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:49.965{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:49.959{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:49.955{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:49.951{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:49.942{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 23542300x800000000000000012482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:49.456{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3A2BC3B8632B6196DAF5940C1A363A,SHA256=35DEC2FFDAF00EF9EE9322C6DBDEFDFFC5564FF456BC8CEA8EA2A0EB31017145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:49.745{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F3A22BD38DD0CFA6654CA929E1B825,SHA256=11BA9715F0B2B88A4CDA43C079C9577C0A06D4ADAD6EEA4B748D6A4B5BA7B6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.957{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1095ED579F6005673FD35554309427,SHA256=3D84F430FB9BADC2D0E237406B2B8E8011B08C676394B6CA6F77B60FA0409F94,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:47.568{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49922-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:50.837{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C799AF8350E62423F2DC1205144008,SHA256=40F9CD3FB210634BE017452FBE3A2BF053462C6EC66CF31186F42CF7BD0754CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.144{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.143{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.140{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.139{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.133{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.130{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.129{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.128{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.127{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.125{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.124{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.123{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.118{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.111{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.109{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.104{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.097{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.078{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.072{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.063{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.051{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.032{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.024{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:50.017{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 23542300x800000000000000012516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:51.856{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD406E6324342297AF7BCEF755BC864E,SHA256=E02A206F3A89C538FE639B5D3B8C2E82D81481F9EC0019F62B9C0A1BB262352F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:51.930{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F5DCE62B926FE15488BB54541086B3,SHA256=1BBC8D9237EC194E2EC08EFD46E372A0025F3A6C94B96CD9365A9E66BBDDF008,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:47.519{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56780-false10.0.1.12-8000- 23542300x800000000000000012521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:52.936{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9371A1F02B1635731E564BB779219212,SHA256=A92C465A8EA4F743618BBAF0100308CDEFECD6A6EDF25C8983FF3374DF651D8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:52.918{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:52.918{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:52.918{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:52.902{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000012522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:53.920{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739724F5EA458D17AD939ED82E98B583,SHA256=C1D6E46B37C44BFF7F306CF83482B776557D899A7D0273691571C3AF604E4061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:53.025{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D685FEC888A67AF3CAF960BF5F86F2B,SHA256=61C199EDDF91AFB3825EFD244EC9DCAC310DE8E8087DC08B702195E43BDEE444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:54.904{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5C4A99A7A8B178D27D93FE6E7C9358C7,SHA256=E80982A6F2865B5EB57D82155FDE9084C8A4760F68A1BD5825E43A07F5740ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:54.115{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D19A16A03DC81478809E05CD3A9A075,SHA256=2860200A3D84BB57BFD2ACF578E4587EF559206014330724707775A359DCD592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:55.021{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D3E69BD750ACD770A995133FE95669,SHA256=2216851111B820CBD9D2E7A367D7248A33BC73839B68F2BA779AF678909E6A40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:52.658{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56781-false10.0.1.12-8000- 23542300x800000000000000029363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:55.221{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E68BDD415093BC6FDEE9A81D63D17F,SHA256=FB9694A76C9057C6B39D4D355669BB1930E7228238F77E405DB9388AE2E1AED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:56.311{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272688A35A1D57B536BA03530AA8757F,SHA256=6CBC5375865A0109C315372A9C82E2E372A1E6663DDA90100B209B77C31DBA40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3804-63C5-9F01-00000000B002}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3804-63C5-9F01-00000000B002}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3804-63C5-9F01-00000000B002}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.815{312A7A06-3804-63C5-9F01-00000000B002}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3804-63C5-9E01-00000000B002}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3804-63C5-9E01-00000000B002}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.143{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3804-63C5-9E01-00000000B002}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.144{312A7A06-3804-63C5-9E01-00000000B002}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:56.127{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6143CBE46A03D4748A9E1A439533F543,SHA256=208E3B5CADA20D241B72F7750D64B46C7547C0E12E17716A3DF08BAF6AF3863D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:57.452{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:57.405{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A598A2979D7DA282DD61A62DDD752EA3,SHA256=F0EF61A747305F5AF715A84513B3045458B322CEB280EB9BAC762820169663FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.908{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CF717E690B6114588D22D95EE54DADBA,SHA256=EC59A83C5A955C3FD3A0C30A0172C65E1B1772312D5892E0CC46F52DF81DADB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3805-63C5-A001-00000000B002}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3805-63C5-A001-00000000B002}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3805-63C5-A001-00000000B002}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.480{312A7A06-3805-63C5-A001-00000000B002}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.292{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28A4A7F84A353E90DC1471297ACBD2C,SHA256=DE4BD5A0B8DA7EE30BA8BF0990DD0B2E1B3043E6C39557119E957732B5AC3F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.214{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F389146275DA4F7D438FFE2D64F90FAC,SHA256=CEB5574C2F8FCD377F91C219FF9DBDDCA7BE9ABC6974BAEEC62DD7A979E78B17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:53.523{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49923-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.105{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=43D9D45625177955FA3D7DEF6965EBFF,SHA256=5357E1C06F753C8205304E4D13FE30E8885B01C303083A1B9C0795C953116428,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:57.027{312A7A06-3804-63C5-9F01-00000000B002}40202928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000029369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:55.933{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56782-false10.0.1.12-8089- 23542300x800000000000000029368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:58.492{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD1E4AD54EA0952EC9E2A2A02EEE7E3,SHA256=0E6E2F865CBB19654C1ED98C3AECE7AB81060D078D6FA0E6373EDB373CE8EFAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3806-63C5-A101-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3806-63C5-A101-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3806-63C5-A101-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.857{312A7A06-3806-63C5-A101-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:58.227{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA77F755D4B8358360277D34027AFEC0,SHA256=15E4F53F1C4AB5651CF55201F960564ECFB9A05FF78371C8ECF0FB6760DD5C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:59.574{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452DA1A365377A8FF601623D6CB395DC,SHA256=FAD700595CA9451A10A19A444A1CF04440ECDBA3446DE0F226DF0C7C732AEBBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.860{312A7A06-3807-63C5-A201-00000000B002}31443744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3807-63C5-A201-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3807-63C5-A201-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.678{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3807-63C5-A201-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.679{312A7A06-3807-63C5-A201-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.318{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DF9A6A45CE890F8DD4F9C22EEEBB61,SHA256=0606565FD18EB99FD66D069D2EB9F9AF628CED76F6DD190D1947279C4DCC6165,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:59.115{FCCA13C7-30ED-63C5-0D00-00000000AF02}9084216C:\Windows\system32\svchost.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.030{312A7A06-3806-63C5-A101-00000000B002}2784748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:00.652{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1339ABF054BFD3CB52CD78DA0435F7A8,SHA256=F6C6226B64E0C7112E5D01BA2CADF197D489C50BF7F18FA9AE1E601C3E675C0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.487{312A7A06-3808-63C5-A301-00000000B002}36684012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000012613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.410{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373371402A10F05B23EA850CAEED4094,SHA256=CDECED5930E4AF86D468DFE5E6F4EEA95855EB68AEB26AC61371CCB56F77FD74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3808-63C5-A301-00000000B002}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3808-63C5-A301-00000000B002}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3808-63C5-A301-00000000B002}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:00.347{312A7A06-3808-63C5-A301-00000000B002}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:01.741{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15675B170C8369091542D7493F81280,SHA256=86DD20619E986F161074CD727EE34371429BB3B8C16CBC599A54D670C541813B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.772{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FEAAE3985A802B39C56F0D092ADE933,SHA256=495BE3FD1C9CDF6B0D914326A6573E66EC493EE5B3FC0849B04EDDE10C68BC6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.335{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3809-63C5-A401-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.332{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.332{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.332{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.332{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.332{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.332{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.331{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.331{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.331{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.331{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3809-63C5-A401-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.331{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3809-63C5-A401-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:01.331{312A7A06-3809-63C5-A401-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:58.664{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56783-false10.0.1.12-8000- 10341000x800000000000000029395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.802{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.798{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000029393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.778{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34CA7C708A4CD0FD6968D577ACC30977,SHA256=B4617FC75A20226990996D5A109630B0952F5F4504CCD40310B747354EEFBA07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:02.847{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE430FF7195043E1B0C45490D532F2B0,SHA256=87729F8AB111378144B3FDC0BF124B800F7F0A648B8D0354BF1C60C4EE883DC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.414{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.404{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.398{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.395{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.394{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.392{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.367{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.355{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.337{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.327{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.321{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.287{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.276{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.254{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.245{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.226{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.211{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.125{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:02.120{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000029397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:03.882{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23165B1C10E34A773003D034B95CB023,SHA256=411FEB13E3791D356F86CF89315C4839A9C5CA51AB0241E8845DB5251EB56295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:03.958{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194BCDE41AA0D0FC2D6106DBD3AA6C50,SHA256=E68ECD68114B2924E5581C335B61D2E0FEA28E8C3F01DC5DF93FB080EE8C72A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:59.486{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49924-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.953{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E945572944BC2265163FCCD4A81143,SHA256=99FFECC2B4CAC5D67C6FFF70028C686CB811F5909FA5A6389F2DF4A800D040CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.878{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.876{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.870{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.867{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.862{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.849{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.515{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.515{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.515{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.499{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.556{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.555{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.529{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.518{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.494{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.491{FCCA13C7-30ED-63C5-0D00-00000000AF02}9084216C:\Windows\system32\svchost.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.488{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.458{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.451{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.434{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.422{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.421{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.417{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.414{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.412{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.406{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.398{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.397{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.397{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.395{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000029409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:05.393{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000012632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:05.052{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80291E084FDA5B40DDBC695F5B7D1BEE,SHA256=92C2557DF921E12482267C7A25F6AC6AA0C6A7635C58E8F82E05C0C8E5E9950A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:06.049{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FFCB20E62FC2FBD969D741CF047466,SHA256=8C1B9A3ACE47941857E522020B7D99DF850B96CDB54D0AF69B52919956AF95E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:06.154{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3816A831EE6B700ED303A38C064E74,SHA256=3C66511545C9B871DEA6D2752274B3232B97A23E2BED6C58D1159F077BA5E6DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:07.232{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758434AD0046502B5D90AC2450852329,SHA256=CA2DC26FD4CB88FEA03C094AC98AEF5A6FB2E644BAF980638A275E9A6495305D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:04.621{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56784-false10.0.1.12-8000- 10341000x800000000000000029441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:07.764{FCCA13C7-30EE-63C5-1600-00000000AF02}12921824C:\Windows\system32\svchost.exe{FCCA13C7-380F-63C5-7805-00000000AF02}6556C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:07.764{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-380F-63C5-7805-00000000AF02}6556C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:07.717{FCCA13C7-3383-63C5-8701-00000000AF02}33725032C:\Windows\system32\csrss.exe{FCCA13C7-380F-63C5-7805-00000000AF02}6556C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:07.717{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:07.717{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:07.717{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:07.717{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:07.717{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-380F-63C5-7805-00000000AF02}6556C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:07.717{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-380F-63C5-7805-00000000AF02}6556C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+415bd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:07.723{FCCA13C7-380F-63C5-7805-00000000AF02}6556C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000029431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:07.124{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAB60839E3CA1E8DE46C9519CF3B747,SHA256=956517F125E89A8258BCA036537935E71C129AC95501398FE857CF728B4B7EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:08.327{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FF76F488652D08CE05820726A83D61,SHA256=AC8C016C8C8B4F00751CBEBA33A7FA54B2D59CF2E542D0E487087478BBA550CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:08.201{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA609B2C6320447A8F77F4B2004D4D04,SHA256=82027446542DA5136B4825E53AC23DF092444EC0C57C7E4408396803AFF6B959,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:04.625{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49925-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:08.076{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=969C8DAB6D218D5ABDA46F4798351439,SHA256=F32CA3C8291499BC2F629E134C7622E87C8B1C837BCE4CEE66DE20F02FC52242,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:09.993{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:09.983{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:09.978{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:09.953{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:09.948{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:09.941{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:09.935{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:09.928{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:09.921{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:09.920{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000012637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:09.417{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4122431681B491CE6D85E4ECC6CFC10E,SHA256=60EC20BCB6B7B7A398DF9AD961028C95842BB089C2706D3A32D7EF742F2A432F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:42:09.963{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000029450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:42:09.947{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000029449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:42:09.931{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000029448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:42:09.916{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000029447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:42:09.838{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000029446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:42:09.838{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 23542300x800000000000000029445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:09.295{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F0B757BE6A1E1F6C28E4E20B1FAC4E,SHA256=B9EEC1812E25A54F5754FBC694E00697B9D082DB61A4457B892078C054A6DDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.792{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F99B455702542E39375E62BC54C9781,SHA256=A8574F375C62DA99EF9ECEF6321033DD378A1320FC1E388B76BE16BBC4D2FB56,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:42:10.793{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{939D20AC-8036-406F-BD5C-BF672896BD71} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 23542300x800000000000000029452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:10.402{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32806C1F7012E4041360CF677BE9DA7C,SHA256=F82946B82F0AAC5453B3661691B459C39C8187BF4D761E5CA9AC9652BAFE0A2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.106{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.103{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.100{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.100{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.095{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.093{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.092{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.091{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.089{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.085{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.083{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.078{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.066{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.062{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.057{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.048{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.033{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.027{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.015{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.005{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000012670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:11.830{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163DF82B4C8E8832FC8BFD0E0464677D,SHA256=554648C9C8ACDC252923FE46A518E1EA469DF1EE48994C73BEE7092F93A7DFEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:08.359{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56785-false72.21.91.29-80http 23542300x800000000000000029454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:11.498{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A885139581A59C564C1BDAC678D5C7,SHA256=08910C7487BEA9BE9FF76F96E1D92A945F0877BA4AF513E94CDE51AC8A76074E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:12.935{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E0150009393646188BFBA489A2CEDF,SHA256=A91F634FB0009076897CBE0C1A62CF97A8A9BEFC6FAECB0D865140E7D4686395,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:10.291{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56787-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000029462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:10.291{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56787-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000029461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:09.713{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56786-false10.0.1.12-8000- 23542300x800000000000000029460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:12.842{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23BE26D9EE6E9549154E10012CFA814F,SHA256=57D0902845F423092FDDBC41536037680A61A9AC1BDE1779338502DCF4D7E981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:12.592{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0A2D6A7A1B56356EBF4E18D2C318D9,SHA256=436866B16A0A41E360B86C072B5CFD49A51AB986E43CA0B40ABE682AA5270691,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.localT1158SetValue2023-01-16 11:42:12.295{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHiddenDWORD (0x00000000) 13241300x800000000000000029457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.localT1158SetValue2023-01-16 11:42:12.295{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000000) 13241300x800000000000000029456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.localT1158SetValue2023-01-16 11:42:12.295{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000002) 23542300x800000000000000029465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:13.678{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAE744607825BC750632B6835BBDE2C,SHA256=8074B3E930348FD46D45A6495CF170F3A0FB4478A16D6294FA13758B9CDDBFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:13.085{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4F53BF838C77D3C18D87752D61BC751B,SHA256=3548EDF5717E3AA1D68721D0CF4EC14B4A62E347D17E9F8AB8CA940F8A7B219F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:14.764{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD7BD96FF7283DDFE9BB2769569E2CC,SHA256=029C733ED5D8FDC397D8A0903BE4AC82A37A5ED15DC15A0A3F59F58F231E94BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:10.618{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49926-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:14.041{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D732795928EE9C7CAF4D87666326C522,SHA256=47923601BC60B526349A190F32F2F337E222E3C231EF7A1E110FF7F2F2B31183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:15.574{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-019MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:15.150{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6325CAABD7DAF3C42B3DA2DB52FE9151,SHA256=7596433C642AB6030739AD803828B2248722057C92B29C877BA2565935D3AC91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.784{FCCA13C7-3387-63C5-9D01-00000000AF02}12842640C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.784{FCCA13C7-3387-63C5-9D01-00000000AF02}12842640C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.784{FCCA13C7-3387-63C5-9D01-00000000AF02}12842640C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.784{FCCA13C7-3387-63C5-9D01-00000000AF02}12845980C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.784{FCCA13C7-3387-63C5-9D01-00000000AF02}12845980C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.784{FCCA13C7-3387-63C5-9D01-00000000AF02}12845980C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.784{FCCA13C7-3387-63C5-9D01-00000000AF02}12845980C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.550{FCCA13C7-30EC-63C5-0B00-00000000AF02}628668C:\Windows\system32\lsass.exe{FCCA13C7-3817-63C5-7A05-00000000AF02}5884C:\Program Files\Notepad++\updater\gup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.550{FCCA13C7-30EC-63C5-0B00-00000000AF02}628668C:\Windows\system32\lsass.exe{FCCA13C7-3817-63C5-7A05-00000000AF02}5884C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.503{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.488{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.488{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.488{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.488{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.488{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.378{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.316{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.316{FCCA13C7-3383-63C5-8701-00000000AF02}33725032C:\Windows\system32\csrss.exe{FCCA13C7-3817-63C5-7A05-00000000AF02}5884C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.316{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.316{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.316{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.316{FCCA13C7-3816-63C5-7905-00000000AF02}51685364C:\Program Files\Notepad++\notepad++.exe{FCCA13C7-3817-63C5-7A05-00000000AF02}5884C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\SHELL32.dll+599af|C:\Windows\System32\SHELL32.dll+5983c|C:\Windows\System32\SHELL32.dll+5958c|C:\Windows\System32\SHELL32.dll+125a17|C:\Windows\System32\SHELL32.dll+125975|C:\Windows\System32\SHELL32.dll+13e81b|C:\Program Files\Notepad++\notepad++.exe+14b459|C:\Program Files\Notepad++\notepad++.exe+1a2a17|C:\Program Files\Notepad++\notepad++.exe+36d842|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.302{FCCA13C7-3817-63C5-7A05-00000000AF02}5884C:\Program Files\Notepad++\updater\GUP.exe5.24WinGup for Notepad++WinGup for Notepad++Don HO don.h@free.frgup.exe"C:\Program Files\Notepad++\updater\gup.exe" -v8.48 -px64C:\Program Files\Notepad++\updater\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=AD1B5B9F22A4EE6515E5D2B2E59D0E8C,SHA256=D221DFDEB2016D5D24E0F6AE14ECDA84E0F0F8380F02A4EDAA45A354E395A981,IMPHASH=E701E8EF4E4DC8123B85C54C8532ABB5{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml" 10341000x800000000000000029478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.284{FCCA13C7-30EC-63C5-0B00-00000000AF02}628668C:\Windows\system32\lsass.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.284{FCCA13C7-30EC-63C5-0B00-00000000AF02}628668C:\Windows\system32\lsass.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.269{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.253{FCCA13C7-30EE-63C5-1600-00000000AF02}12921824C:\Windows\system32\svchost.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.253{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.052{FCCA13C7-3383-63C5-8701-00000000AF02}33723484C:\Windows\system32\csrss.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.052{FCCA13C7-3387-63C5-9D01-00000000AF02}12844284C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000029467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:14.971{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe8.48Notepad++Notepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=4F10934BC823396BEF7BB3B1A8D8D7B6,SHA256=6EEBED1FD47637616E93A797FE061D6504AD81454A822EC3BFD172A0F922C884,IMPHASH=8EC2FD92F1BD9347B33C3BF11F5A195A{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 10341000x800000000000000029508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:16.987{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000029507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:16.987{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000029506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:16.987{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000029505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:16.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:16.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:16.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 23542300x800000000000000029502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:16.068{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CD84FE5E72A813F6AB6D1C1C0CFCBE,SHA256=494EAF1DB8671D8605C683599F8CF63F481683FF95C7AEDC8C381B92DA734012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:16.585{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:16.225{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CEF43B0F1351E766AF18356EECCF31,SHA256=EACCD06D5A723A2DD6169AFA811BD3244761FBC95B21AB1899C5FF122CB4874D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:13.864{00000000-0000-0000-0000-000000000000}5884<unknown process>-tcptruefalse127.0.0.1win-dc-ctus-attack-range-221.attackrange.local56789-false127.0.0.1win-dc-ctus-attack-range-221.attackrange.local56788- 22542200x800000000000000029513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:13.947{00000000-0000-0000-0000-000000000000}5884notepad-plus-plus.org0::ffff:2.57.89.199;<unknown process> 23542300x800000000000000029512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:17.157{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1BF78A3B0C4A9F82D06FDE2CC8C0F4,SHA256=E2B0E9F057610352E36C478234ADE03E2CECFABD0BB3939660D11F63A26B6AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:17.323{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2DAB172137D23DC137FEA595F2F29B,SHA256=FCA2B0389C9358C709C8785B94730A4128A1B8256B78B22C251AA6AFB94B0F35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:14.038{00000000-0000-0000-0000-000000000000}5884<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56790-false2.57.89.199-443https 354300x800000000000000029510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:13.869{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local64555- 354300x800000000000000029509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:13.864{00000000-0000-0000-0000-000000000000}5884<unknown process>-tcpfalsefalse127.0.0.1win-dc-ctus-attack-range-221.attackrange.local56789-false127.0.0.1win-dc-ctus-attack-range-221.attackrange.local56788- 23542300x800000000000000012680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:18.792{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:18.417{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C02E05BEC2B64C3C8C28977C5D1205,SHA256=1C27957CF453B7B9C2BDB60A71889A0BA8B93102C1E40E18B8F34732C73605CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:18.252{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EFAF01260E15A337B94314709E2210E,SHA256=EE638CFEC97EBCF38574A4FF8055D7CC55BD178E83AC6337516688A7B6FEB56E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:19.521{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D25CD0C717D087656E3F27194587F19,SHA256=E774CD4B0595EEFA8BD0F70F3DCEA92A40FC3A5ACED1F8B1A96ADE405D8D4864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:19.340{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FFB7C7EC3DC5356ED813DAD429D364,SHA256=0ECCB5CC893AE5C58194D31DB6A738FC28963B4A9636A72AF50DBE5F53370CC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:15.437{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local61740- 354300x800000000000000029516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:14.722{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56791-false10.0.1.12-8000- 23542300x800000000000000012684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:20.615{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF4523D540DBA766009B6BCDFACBC10,SHA256=3DA3887FF16027E3680E16DEE778AEBB15888ED2CF0531EC5A0D13A340C46D50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:17.153{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49928-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000012682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:16.544{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49927-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:20.436{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72458596161B45DF6A3A76D15F90D9C8,SHA256=670AF86B6F831CD88930F650C00F8B31D6EA555F3A82746B636AC6B3C12BA988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:21.724{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC20E553A4B9FF3ED59EF794E0E88529,SHA256=EBC841A4BECAB5D43F3D2F362B9150DC00BDE89147E336EA374F2CA4BA03639F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:21.547{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF34FADD02068283A45DC036CDAA5A9,SHA256=06A3477B2AEDFF809E1CEE228B6674094C78C3E6C7F36EE0E080357D50816B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:22.931{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8B8B4CA56C1796296A98BC0F61DD33,SHA256=602D14379DF855E8EF4B23C1BD2506878AE3D626BEFF093660B0557C89821099,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.952{FCCA13C7-30EC-63C5-0B00-00000000AF02}628668C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.952{FCCA13C7-30EC-63C5-0B00-00000000AF02}628668C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.628{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.621{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000029540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.601{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3C1A0C406FD7ACD448FCCF35EA3049,SHA256=7FEAB3D96AA2EB7F8568F550FC185E99319F79E439585F226E6AEE5134486EFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.288{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.277{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.270{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.266{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.264{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.238{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.233{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.221{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.214{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.209{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.172{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.160{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.153{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.144{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.136{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:22.093{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000029553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.671{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A94C62907830BF438CCA35AC0D71C78,SHA256=18785740D6ED6FC64EA5B957ADA4856169A8E938F465C1AA02D021F71E757CAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.562{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-381F-63C5-7B05-00000000AF02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.562{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.562{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.562{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.562{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.562{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-381F-63C5-7B05-00000000AF02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.562{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-381F-63C5-7B05-00000000AF02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.563{FCCA13C7-381F-63C5-7B05-00000000AF02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000029586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:42:24.992{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6335A056-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML 13241300x800000000000000029585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:42:24.977{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F283BD66-5E50-484D-ADBD-4AC94CBA68D3\Config SourceDWORD (0x00000001) 13241300x800000000000000029584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:42:24.977{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F283BD66-5E50-484D-ADBD-4AC94CBA68D3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_F283BD66-5E50-484D-ADBD-4AC94CBA68D3.XML 10341000x800000000000000029583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.977{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.977{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.867{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3820-63C5-7D05-00000000AF02}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.867{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2F85E71A09E05ADD19E988A0C67414BD,SHA256=0CE1DC563118927E95930AE061CF6F52B7DFCB29B1FAFD9E79FAB8C85BBB998C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.867{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.867{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.867{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.867{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.867{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3820-63C5-7D05-00000000AF02}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.867{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3820-63C5-7D05-00000000AF02}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.868{FCCA13C7-3820-63C5-7D05-00000000AF02}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.682{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE886DCAF632342B061E7F14F1196762,SHA256=87BBE735587962DCE3C083056A3FC5B6EF69EDC6C692D6EE6A876E19A31BD32B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:24.029{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA874442AFC2F60012C4AB1426F1D33E,SHA256=B7D53EADA618C5FCF0B0015B0CC973DD564A88AE40491862CEF95A2248188098,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.672{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.670{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.665{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.662{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.661{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.656{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.369{FCCA13C7-3820-63C5-7C05-00000000AF02}53087084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000029564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:21.435{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56793-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 354300x800000000000000029563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:21.435{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56793-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 354300x800000000000000029562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:20.623{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56792-false10.0.1.12-8000- 10341000x800000000000000029561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.191{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3820-63C5-7C05-00000000AF02}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.189{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.189{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.189{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.189{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.188{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-3820-63C5-7C05-00000000AF02}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.188{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3820-63C5-7C05-00000000AF02}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.187{FCCA13C7-3820-63C5-7C05-00000000AF02}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.833{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.833{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.833{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.833{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDCC3AF8A6A6B8E69088086FB30C0A5,SHA256=0D75461796BFB6B8EB740A34499A27AFA5A38FB185176888EC9A363FFDA64D21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.724{FCCA13C7-3821-63C5-7E05-00000000AF02}45286264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000012689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:22.518{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49929-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:25.134{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A4CC0781D3A777790789D089FCBAB8,SHA256=B6208966F70DE9B2078B3793DE1D9EE554CA152F33AB96FDA087EE0CA394C210,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.536{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3821-63C5-7E05-00000000AF02}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.536{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.536{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.536{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.536{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3821-63C5-7E05-00000000AF02}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.536{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.536{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3821-63C5-7E05-00000000AF02}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.537{FCCA13C7-3821-63C5-7E05-00000000AF02}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.296{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.295{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.273{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.265{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.251{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.220{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000029600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.219{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=93D42A8FC3C8E1BF20884CBCF7264EA7,SHA256=38FA31B26A5982973F0BBA92419EE60F77E469A4AF1E824A1E7BE63DEA565847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.213{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.199{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.195{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.193{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.190{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.188{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.187{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.179{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000029643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.952{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4D8D1B69B90210A3F183C58B3FF3632,SHA256=D230E0B9698B3011846875CD49C86B7DAE3AA98AAC8F216BD50BAA8DCD4019BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.937{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3822-63C5-8005-00000000AF02}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.937{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.937{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.937{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.937{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.937{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3822-63C5-8005-00000000AF02}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.937{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3822-63C5-8005-00000000AF02}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.938{FCCA13C7-3822-63C5-8005-00000000AF02}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.843{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8796E844C69608D234537A01F6E96825,SHA256=6388F2484F999E9215B3297E98718D1352BDEA86A4E526C2B0B87CC05923B1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:26.237{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FA8C4B48917019B06D365365065388,SHA256=7257189C30C6F53D9E08758359C96085B5C62AC49DADD258AD6FCEBF51B5B958,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.658{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.658{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.658{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.561{FCCA13C7-3822-63C5-7F05-00000000AF02}57645320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.389{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3822-63C5-7F05-00000000AF02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.389{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.389{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.389{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.389{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.389{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3822-63C5-7F05-00000000AF02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.389{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3822-63C5-7F05-00000000AF02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:26.390{FCCA13C7-3822-63C5-7F05-00000000AF02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:27.914{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E9FD5597D90DDD779763005A012E4F,SHA256=C2B601B923BCEE06A9322F52C36473A75544B22042869CDC89E7442F92CBB661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:27.446{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65ADD0A49D160A25E73D29C843443EF,SHA256=B2B6629F4D1058D49F78158AE9658613342DEBC38937C891B4E5AB2DF68E53BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.314{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56794-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000029648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:24.314{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56794-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000029647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.481{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:100:0:28c1:c1c4:86e6:ffff-49269-truee000:fc:bb23:cc01:ffff:ffff:205b:ff01-5355llmnr 354300x800000000000000029646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.481{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local49269-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000029645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:23.480{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local57295- 10341000x800000000000000029644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:27.123{FCCA13C7-3822-63C5-8005-00000000AF02}44966448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:28.998{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809CEA944CC3201565528B84DB5EE48D,SHA256=6A3FB4B554DC09B14B581EFB8F83076B34DF7E9AF72C889B1C235C29C0064210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:28.555{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCDD98E7480DBD6CC3BEB98D77F839D,SHA256=BCDF50F53207F50781ECAE0E54DC85B7B6E1F83E705001EBA3A00CF1737076A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.138{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56795-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000029651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.138{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56795-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000012692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:28.319{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=76A30639FDB1E889C3175262C5820EE5,SHA256=BC402673BA35D66EEF10096964B4E240832BBAFE62AFA672F35F0161BA699A3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:29.991{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:29.985{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:29.963{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:29.958{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:29.951{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:29.945{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:29.938{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:29.924{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:29.917{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 23542300x800000000000000012694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:29.642{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177EC829CC5D9A581AC9E21E1E74D826,SHA256=D9EB864658054B6E25E3820FCB186FA4A1F86859A564D1F2677AEF2738A17C5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:25.675{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56796-false10.0.1.12-8000- 10341000x800000000000000029661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:29.093{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3825-63C5-8105-00000000AF02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:29.093{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:29.093{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:29.093{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:29.093{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:29.093{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-3825-63C5-8105-00000000AF02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:29.093{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3825-63C5-8105-00000000AF02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:29.094{FCCA13C7-3825-63C5-8105-00000000AF02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.899{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A15557B2B99217D7ECF434A71F6586,SHA256=4A89CF2F181ED70FE000EEE26C61F150428A0AB28AD66E0D2BC4815E432412C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:30.076{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A12516D2975BEFBD536088B2CE54C39,SHA256=48EF6D438149D0463169867168593A05A38DCE09203FDAAA10243DB9F449DE57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.106{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.104{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.101{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.100{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.097{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.095{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.094{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.093{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.092{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.090{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.089{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.088{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.083{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.078{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.074{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.066{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.051{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.031{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.029{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.016{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.010{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000012704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:30.001{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 23542300x800000000000000012727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:31.927{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD6B5AC3BAE8B3D3F4FA2E067663F19,SHA256=5F3EF947FDC633312E43A4A57840FDBE5D7FEA1E2EF3BDB3BD31F9EC657E1206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:31.173{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE153569D559392794698D647C60A9F2,SHA256=A0BADE98CF5CA77B696799694CDBAA66DC4D0317111BE073ADA9B7EE416A0BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:32.358{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19418C9180C4DCD394F29EDE956B7497,SHA256=C6B725B5393652F97575F9439BCD7D057E935395B3234E884314A023A7A18A23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:28.442{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49930-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:33.453{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67ACA450C1E595EA6B87C0D0C81F5F3,SHA256=B35792E4906CEBCD0AFED2652F32955FA54BC245F61CBBA1B60EEBAD97247F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:33.015{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76B7BE2938AB6CABA46F86B413398A2,SHA256=DBBE1292F391AF8954DFFBA29CE8FF888B0EE6CD9322D6167DF57D23594C7E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:34.546{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C14CAC97AD4922C5E2CC7784A0C19E,SHA256=F02CBD9815FB11BF0C7727E82CE73C11C77C8095A02479EFD7B1A3B88EDF28A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:31.515{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56797-false10.0.1.12-8000- 23542300x800000000000000012730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:34.110{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7695C0077810FA2C55A391C087D05C62,SHA256=4144EEB7107DC2640D078556EEE1296B9377B2A58410B14367D3609C7C53D472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:35.638{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE04345B524545CFA433AA2DEA767188,SHA256=4757E06159BB8E1313099DFA06EA3E7652135571B24AA974E6973F5603ADB057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:35.197{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5A771BA496DB859FBD90FCA834475C,SHA256=FB8EFA8CE2E90EEC540361A41B10579EAC1D43BC6D0D488C3A75B9E8F0ECCF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:36.720{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B37BEA0328342970D39F12CDB8AACD7,SHA256=E1D622B034A683A68FEDDD0C600D478C1C7B78200F9C36A86AD043D836117C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:36.298{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E650F5C1E8670BE95BC7B3E067D4CC9,SHA256=66D66D74B6491ED6A0A4915F3B2FFFAA3ECF0B22FF98735E80163287E89993B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:37.920{FCCA13C7-3816-63C5-7905-00000000AF02}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2023-01-16_114236MD5=3855DBEDC347549A9CD80950D35CB0F1,SHA256=6145597A68BD65AAD14576269CE8621CB30C749B2EED82C89243436DD5B2D1DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:37.920{FCCA13C7-3816-63C5-7905-00000000AF02}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:37.811{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17681C95C2EABED42282EE69D983D792,SHA256=8E5D7BA3FF2696EA33033F8D178E2FB9AB2724354B985FF3BA85D75B54B46B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:37.396{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B263430184DB33F6DDF5EA3310E10E,SHA256=15ACE12A318DD6D2826CF95F54C6C75F64D4B67E030F5EA04B9CF4B3C1409654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:38.904{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F6A305551FBD27F54D651598183923,SHA256=2D7367F1E7889D2C831A060B63926F4516B09DDAA53776DF5E60F7CCE7B8C5DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:34.440{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49931-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:38.491{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E8C7FE1FF463F53A01D5726CE9B0BD,SHA256=D7527BEB087CE745CCEB33444141DDC09D3DFE2C7B117906500A87DDECF99C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:39.979{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3230B8C79C8546B2D1AE941BFEC1B7,SHA256=75884EE39E93B271E1B56FACE264D107D59D3ADC3FFF9C2C34253B598A94D51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:39.581{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC82F4FF8213F96FACBA07A7222E239,SHA256=1C3249A892D62CF876276F4B9FFBFEF844D07AC41D64217E7F8394ABD7788891,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:36.680{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56798-false10.0.1.12-8000- 23542300x800000000000000012737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:40.685{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76F08CBCC11261EA20905AA3C68AF9B,SHA256=20470D5215C4ED5B4F29C804989D547C6AEF65B2448758F0D0AB3494E773D905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:41.776{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1039A3D02EDF356BF923644F8DEFAF84,SHA256=27E3362E4DAE531E37DE234585A24DFE10CA87CF5789104D6A8ED372D01056B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:41.072{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A7BEE557EA62CD25597CA44ECC127C,SHA256=83A8E747BB119413C61C659782413C4B6FC548DD9E17EE61D1E6F9810535AC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:42.868{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C0E927075B0B269C4C6E6D8B0BC34F,SHA256=8873B2F440632C99322A2E2815354F628743092C8DDA4144FE0FD8923BFCEF03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.777{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.767{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.308{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.283{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.279{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.249{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.243{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.230{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.224{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.219{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.189{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.159{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.151{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000029682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.143{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FD534234F0A2D18BD3DA8C1536483B,SHA256=8FAC0B8DF9B55DAD860A7F2BA31ACD18959996EE70F7EC06A44EB5B50B690CD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.141{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.133{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.093{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 354300x800000000000000012739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:39.614{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49932-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:43.969{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE60E60A8905EE0FCDF25E9C8DEF0E35,SHA256=D2B4688DBC6D3E8351875BFD6F33C4C85D6C364F516F483FAC675BC6ACEC2E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:43.987{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-029MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:43.921{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E2D145D886131D99B8C0D1616BB0AB82,SHA256=0725388B9B35CE59417DC7AAE868C140DBB9D33DBC20BEC947F0D53F08BF4256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:43.178{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83308D791ECFB4581F263675DAA13614,SHA256=54FDDFF98C5F5759C3BB7F08D220CF9552164FDAEE274AD652D3F20C00F86A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:43.766{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8789FBB769BDAF2DB4886CEA5194D454,SHA256=0638E2D1132AD39ED39128FCC25DC44161760C06D1F5E1A4F51A9F8D14BCCF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:44.998{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:44.830{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:44.828{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:44.825{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:44.822{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:44.820{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:44.814{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000029703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:44.276{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41089C76F518868A384CAFB089149198,SHA256=8F59548CD388BE53257FC8C9B0FF46A9C7B69E07FA7529004045675715AB469B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:42.678{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56799-false10.0.1.12-8000- 10341000x800000000000000029732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.476{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.475{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.474{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.448{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.440{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.424{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.421{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.392{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.383{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.368{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.360{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.358{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.355{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.351{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.350{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000029717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.348{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0050DCB60E8F21DED39DFD404C9D81,SHA256=807E58D03F44D21AB7A96789622C3842D4F5F990A95F4D32636391B808BECACB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.346{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.344{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.343{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.342{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:45.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000012743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:45.065{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37795DA6F9553B8C9E41E995337CBD27,SHA256=0A4DC15FF64F46731FCC61B9D53910BAD3ECBF42958CBC82EDDEC41BD079451B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:46.153{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADE7250845D3B3DD944FAC6AB23EEE8,SHA256=34190320EE8C578AC5EDA168374BBACBEF3280E97FB6F560061B8244839F246E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:46.407{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1F90EC373A6B0BFE3C6FC885F768C2,SHA256=F7B006EC31EE50BA77E02B635E04F39E2CD77D5D3324CE5C2D04439EA907450E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:47.252{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74F02D0E78977E19E418572AE833E39,SHA256=50CDB5D01201CAC3B9865FA908CA849981C39E9CEC8C3F29C2C5EFD4396DD473,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:47.704{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:47.704{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:47.704{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:47.501{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF88B2F20EA11F7C8B4F0D5B889D2B3D,SHA256=6B7ED8FA4D97EC783451A6DDDE8E93F4D2F6029CC355D2FEB0E7CCD2968FEF14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:45.629{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49933-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:48.348{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2054BACAE09F6EBB1B8A33DDC42F3B,SHA256=6AD79F7F02159411F6A714772C8F3E40D79F54CA1272850924712A9F9D187695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:48.729{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F25D2BB87DEE070DB564496D00BBD52E,SHA256=D13677D312345B1609BAA7A413FC4FDBFF4F6FBB35EF91FD23BA8C27ABA50FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:48.595{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244C1D94AC4D7344D5943F527398B48D,SHA256=89D443F575F76D56630D4276C60569CF05428F1D8B418ED73D77C31BF7E7C676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:49.666{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB3D586643CDCAC02DFB36606B4C97D,SHA256=686BA04B82DE0D158626F377F725776D37B7E253F595C96A7E95839E4092CCEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:49.977{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:49.973{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:49.964{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:49.955{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:49.947{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:49.933{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:49.924{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000012748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:49.452{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD54F8FFB10AD13316C0A63BD2308BC,SHA256=001DB0D640178569594273D39800985DD2D44AB39BBFA57BDE289A77F2DA3DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.907{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97D09DDE87601AA0AC6E2293D8C5780,SHA256=8EEC77DB742A72ACFA87C9A2B24DB83EB0A5B0B7BED7454FFC7DCE6A3369B785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:50.767{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE237444F64DC881D65E0E8C94B5B178,SHA256=D48AD5E727F1A05D6000CF6D29393E652DAAFCDE43A947A91958674B870225E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.138{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.135{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.134{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.134{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.130{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.128{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.127{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.127{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.125{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.124{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.123{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.121{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.119{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.113{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.110{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.101{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.080{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.065{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.062{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.055{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.043{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.035{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.026{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:50.016{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 13241300x800000000000000029745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:42:51.863{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9299f-0xaa5908ce) 23542300x800000000000000029744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:51.848{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49E7E2302D729DBE4A148904EC860CA,SHA256=9E749DC6AA29F11A14E5853FA8D85F464A02966D1DFF6C56AA576CDC0672663F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:48.651{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56800-false10.0.1.12-8000- 23542300x800000000000000029746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:52.842{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DA4C62E16FF57951E5E840D33C9D81,SHA256=6CA692B76E7670E824181E277C83623F6FD59926FED8755CB7DC202A02792AEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:52.902{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000012781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:52.057{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA796AB0BBC8A8C3C98374D4F2D65245,SHA256=B7511D9E382BA7DF99F620676C181B37E223897DB5E8736D746DEFBB07693C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:53.931{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6910B3A8868AE8082471883A3C6B32ED,SHA256=6AD468E63F287E4D6EC91FF5AE26DE34612058FEC9E8C38A498CCE907AD87DCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:53.917{312A7A06-3345-63C5-0D00-00000000B002}7763696C:\Windows\system32\svchost.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000012783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:53.134{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9643D3E877831633E1C882BDA739DDCC,SHA256=C35A3B4739BF72B35FC8CE3213DB66407852DD5C6DF5523C7FC5D1F8690FE821,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:51.581{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49934-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:54.231{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFCB74A9ED9C929D733D12099C39A1A,SHA256=543C96380BEEC7C536E9457CCAE7202E0EC248E7C6AB364FA8C12780EC3A3E14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:55.319{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03148F642C355B23C5B61788D8681662,SHA256=C33ACF0EA8C7F119FC5DD999C2E7DE34F9866BBCD03B671BCD55792882BA7F80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:55.191{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:55.084{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=58DDAED6C3F51AEA56A799FD52DE8F1E,SHA256=7A4535814493B273C5A07E5AB41495EE156A0B7C55561241AD2865BABEB653D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:55.007{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BAC2812EE54E1B7405CE7101EB9966,SHA256=EACA952DF2A87485F3D74CA3CC3D39E831FAA570E481DD18E09A00EE0A9C577F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.978{312A7A06-3840-63C5-A601-00000000B002}3148360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3840-63C5-A601-00000000B002}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3840-63C5-A601-00000000B002}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.822{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3840-63C5-A601-00000000B002}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.823{312A7A06-3840-63C5-A601-00000000B002}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.416{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC15CF9FEB3563AB8C8E2357DD71C2C,SHA256=FC67BE40631C786EA8BBB6C3333F337C3D434C10868AD85DE9F9FD65096082C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.350{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=842C367C9D63E6F373395D611C22FFEA,SHA256=7EC45EDB223C4B1F6E36A50672966756D3F9D1861C152871823D9D4EA38B7858,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:53.674{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56801-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000029754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:53.674{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56801-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 23542300x800000000000000029753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:56.456{FCCA13C7-3816-63C5-7905-00000000AF02}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=3855DBEDC347549A9CD80950D35CB0F1,SHA256=6145597A68BD65AAD14576269CE8621CB30C749B2EED82C89243436DD5B2D1DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:56.268{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A53036AC9DDBC10ACFA400B3DC42B467,SHA256=C2173DF1BC0C728B9FDC6633A8C896756190ECF56596C418839F21613AE0C8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:56.082{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46AB7A0C8D866C79B918084996D73376,SHA256=07F0FB10F23103F300996FBD3D59AF28A4A053A693F4AC525C8CF858A5B0B68B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.307{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3840-63C5-A501-00000000B002}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.307{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3840-63C5-A501-00000000B002}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.307{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3840-63C5-A501-00000000B002}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3840-63C5-A501-00000000B002}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3840-63C5-A501-00000000B002}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.156{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3840-63C5-A501-00000000B002}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.157{312A7A06-3840-63C5-A501-00000000B002}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3841-63C5-A701-00000000B002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3841-63C5-A701-00000000B002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.477{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3841-63C5-A701-00000000B002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.478{312A7A06-3841-63C5-A701-00000000B002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.399{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E4BE503A530AC9BBCCD91B68377F27,SHA256=0E3A605521C1D2BC7A09E972C9E1E2A492A07518067A95248401DDDC03ACCE7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:54.639{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56802-false10.0.1.12-8000- 23542300x800000000000000029757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:57.481{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:57.168{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE02B0B918355A3A4DE415AA727816E,SHA256=4D86309F0488682A7F9D30D05C390A98C095D084BA6A2791B63EB83915481877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:57.201{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=545765B30F5514AA9381E38258F415DF,SHA256=028CA2BBE758904D9A63A11F7E948B5FAFF28AE826E1932BD5F756860B6D4133,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.926{312A7A06-3842-63C5-A801-00000000B002}31122744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3842-63C5-A801-00000000B002}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3842-63C5-A801-00000000B002}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.770{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3842-63C5-A801-00000000B002}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.772{312A7A06-3842-63C5-A801-00000000B002}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.498{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5741BD498B621A2CF2DDF56D2DDB7D0A,SHA256=F4932B6F45BCA9E465FB3383622004B3186A161BF9DBAC67A464BE5D31698147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:58.498{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3DFDD3F07DBD6109A26810455E645058,SHA256=548A82A2DA6F69EE4266A70C99175DA83F7B6EA19096C9F152DEDAA87BDFC498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:58.244{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95B0E956A6153CBD4CB394609681242,SHA256=F3CF19353FDBA9EF61D67E2C25A3D37453C5D9896D7DE06830A177AB470CD170,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.834{312A7A06-3843-63C5-A901-00000000B002}36402408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.686{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3843-63C5-A901-00000000B002}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.683{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.683{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.683{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3843-63C5-A901-00000000B002}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.683{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3843-63C5-A901-00000000B002}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.683{312A7A06-3843-63C5-A901-00000000B002}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:59.604{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9D887C6BAE800BB1ADF9D1AC86CE53,SHA256=1F7B0D30A3F164728ADB165CE789EC1A59691594DAFC504C821EAF5E2CC1062B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:55.945{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56803-false10.0.1.12-8089- 23542300x800000000000000029760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:42:59.342{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14B4FFCFFC00BF930A127470C598176,SHA256=34F25AF091A9DCDF85C3596178B83D5C4C8D36561BC5A6265002FDAEDDA23244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.992{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDB9B3993121060B4710D38C365A431,SHA256=D2667643B7B6E2EAF10B9696D3AD71F64F0FD8456244C8D6BC6FBD9179E9B469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:00.455{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A406AF44FA9A3C2EED95E317E8C5C6A8,SHA256=3A35D759C6D5A8D75D81FDD7109FECAC47A769A0E2DF4BFD7DC1350E15E4F097,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.553{312A7A06-3844-63C5-AA01-00000000B002}36083516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3844-63C5-AA01-00000000B002}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3844-63C5-AA01-00000000B002}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.366{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3844-63C5-AA01-00000000B002}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:00.367{312A7A06-3844-63C5-AA01-00000000B002}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000012866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:42:56.589{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49935-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:01.545{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C61ADDB35C349247D27D350390BB94E,SHA256=779A5F8F7A3D7C32A98359F457BB1AFE4EE647E4258CC79406E1B57C7EDB0D31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3845-63C5-AB01-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3845-63C5-AB01-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.347{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3845-63C5-AB01-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:01.348{312A7A06-3845-63C5-AB01-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.817{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.808{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000029783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.579{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7CB83B56EB286D633D8D241A0A1D17,SHA256=D43943B28882AB10BD494DCFC7520504A8AF78AFBDEFB6EA1ACCFA3EBC8AB6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:02.027{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CE042AF4C5952130F527B3B28E16E7,SHA256=EE5312659096DF619C9CA0760632C9256C7EC888494C8EA7DB9326951F943E84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.394{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.384{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.378{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.375{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.372{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.367{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.318{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.307{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.275{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.264{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.228{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.218{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.207{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.198{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.188{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.133{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:02.128{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 354300x800000000000000029787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:00.604{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56804-false10.0.1.12-8000- 23542300x800000000000000029786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:03.644{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD443005F5BEF32CB960F12044119E8,SHA256=458C28F4801A37F3CAF5FB45209AFBFD2A716BDF241F685FF99B80DEEFC2CCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:03.123{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7A63306AD6CD9212139F65472F3DB9,SHA256=025726CD0BE16C13ECB6322129D167FA350A19382D1395ACF7DFDD569F244920,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.889{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.887{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.885{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.881{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.878{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.870{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000029792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.709{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482B1A6C6A478B7384A963294593CC79,SHA256=29014FCD7334E8FE0C869BA82A7F03819E0B5531588D266861E29365E9DF1810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:04.215{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3033D06B6157638567828FCC5DD4827E,SHA256=C772C7BEAAE34549206FD75460BC64A718A46C4FCDA5AC1BA0C712E72904640B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.528{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.528{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.528{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.501{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.788{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4618CC2870BBBFB9BA2A76D1C3FC31C,SHA256=21D2D9E8572852890C9F5BB13A0F52B332E72AAEF68C59D03A0C8FFA5C273819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:05.293{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A0990AD3FF7017141637D8083891F1,SHA256=0651FEB459BAD5A81C2745BB4C7E7C5ED2CBA3225662BA7E99D8FB7C6CDA577E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.519{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.518{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.517{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.492{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.483{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.468{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.439{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.432{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.423{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.418{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.417{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.414{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.412{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.411{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.407{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.405{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.404{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.403{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.402{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.400{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000029820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:06.878{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786E479D5AA41DDBB4A267FAF3099903,SHA256=9B04A537CB833C438DB92D68766B5CD24F9E7FFAAA7D93F13584E836975D3DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:06.389{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36041EA6511B1DD90EDD38DD7661348,SHA256=245E187F5E6C4110DD7239B317EC7DFA83C9B13372507F6C387C7D4459579FE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:02.544{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49936-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:07.971{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDF4DE713CD18D5C71B8896C3ACD5DF,SHA256=DF44AA1C87833C626BF1B191D969240C4ED0135296BF4F0B4C6F8D8EBE91F55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:07.492{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24464B05041236F9AC281926B8753602,SHA256=6A4A86E6F628DB08C226D558080928AB1D362A8B7109815A883B796A9E7EEDAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.972{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal53677- 354300x800000000000000029823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.971{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local53146-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x800000000000000029822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:04.970{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal51465- 23542300x800000000000000029821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:07.300{FCCA13C7-3816-63C5-7905-00000000AF02}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=E4C233BEC043BD89EA91A38FA0A3B257,SHA256=0E41CD9C475895E34B2A51D72B88DA248B92BC08F10CEEF3F1BC71312F50F138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:08.581{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10204828A71DAFDFE84A87B71A36555D,SHA256=F2C64CDFD72B4446A72806BA572CDD62342F0EE20743DDEF60E084E65F7D7BCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:05.654{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56805-false10.0.1.12-8000- 354300x800000000000000012903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:04.801{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal51465-false10.0.1.14ip-10-0-1-14.us-east-2.compute.internal53domain 354300x800000000000000012902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:04.800{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:6:4b95:c880:5d4e:8484:ffff-51465-truea00:10e:176:8800:6caf:18ff:ff8a:18b-53domain 10341000x800000000000000012914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:09.995{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:09.987{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:09.964{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:09.959{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:09.953{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:09.946{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:09.937{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:09.921{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:09.919{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000012905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:09.671{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89B13A66FB62D55B1E497F7F4874277,SHA256=5EB138F66C30535FA87E064F1785C36FBF9713BF0D819C0F04B374C8D1B072E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:09.061{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771754AB21E1BBE31D5311880B49E4D2,SHA256=2051CCFFA00E9205473B3BF26DDCB8AB958901A4C5394505A63E791122C3FFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:10.139{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F02625DF2C90CB5A66300B0B9081AF,SHA256=6E91C9EFDB0C99C2AE10EDEEF0F84AE387192BB45D2D89D328EC3A62118FFB4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.095{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.093{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.091{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.090{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.087{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.084{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.082{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.082{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.081{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.079{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.077{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.076{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.073{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.067{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.065{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.060{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.054{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.033{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.031{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.021{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.014{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000012915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:10.004{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000029829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:11.233{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6550D60E8C5BA0723C9C0C3C080CF9AC,SHA256=7CA1925CB9A010A42A9AF1DB6240A3AF978E95B18BBBC6CCBA1796876CE711BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:11.063{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC56587BC58C46575BD3F8D471F9D11,SHA256=29AACAB1C356D151A8E1CA1C6FB6F4ADE4BF010C06BCEC676986445375E0CCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:12.981{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F4C27ACC726B94287CE2548DE3E3F88,SHA256=9CFAF16F637F764478E98F7CDC5A78C657AB82642805B3537E2D037F8D863A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:12.325{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E6E7AE557EEC76969AF6FEAA9FB160,SHA256=C5BC44B2F21999F06EE0CB970869D82E5B3F85CE54DEB947FB98F763EF056A93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:08.439{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49937-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:12.169{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815076EACF8D77E6AD3C3696CE4C9F78,SHA256=CC154CE1B7DE86E6363F5A3E33A770B67D18661E8385794E2136A4EEF05D30B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:13.419{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17093995C16DC9D94363EC01B197A4C,SHA256=CDDB842D57AAF7012253533FC0F0DF82F3CEB8846E14386FBF8D10A70177809A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:13.277{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE577CDE53B5A98DF4498B4050593B2,SHA256=FEDAFBD9A230EC317204C2D326187713887A270114C784B8B5C32C1BB0300803,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:10.306{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56806-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000029832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:10.306{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56806-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000029836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:14.511{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A159016F0D8B65350EAE1DBF7A01E956,SHA256=74E59F8A94C1C45319CAE407E0577CDFE18211BD9ADDACA64EA20EA10343E4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:14.366{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E56E48589B7826009FF4E4FA93E725C,SHA256=4FE38784B0F7E0C4948FE1F16EF0ADEA2AF6FBD091E58DBC0D3B2FB7D6BA8038,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:11.523{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56807-false10.0.1.12-8000- 23542300x800000000000000029837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:15.604{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0E0CF4FD2F8B2DF711B128AF92F0FA,SHA256=EA23BCFF46A21C49197F683E51319824D5590647E1B694F005421D65F4CE1272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:15.455{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A411247209EC9EF6637DD205D9DC2E7B,SHA256=43EADD76202A6D06A5C1D8C6E6B5D74FF881EE54CCAE37B5A18084F3E1237FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:16.691{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254FBF25A76EF7C9846BD1401FE78733,SHA256=920AF9FD15ABF94B69995556DDEC05BEBD8FC75F035E9EBCA1E5DA59E460483C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:16.566{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EFE9B7667A7A68C8A993B54496C0F5,SHA256=75581834801502176C5DEEAC83DB3775A6E90881745018AA9B9940C0D434116D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:17.800{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695421D2D7102BE20657787A236133E6,SHA256=A86FC01162C18D5DE5A66284E42521FD7D262ED8AF45D9BFC7100E5C3133C557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:17.665{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E03666B9D7B36FBE1B585C2EEC14ADC,SHA256=82AA729377B935485816E454B3C78D1F255A488111C8E4E97376DD7CB906B742,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:13.582{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49938-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:17.118{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-020MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:18.891{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A582676A3170626EDA3E19683A14A346,SHA256=7FDE09365181C231264D243F80CE79A50D89A6463DE191B509DFBADF07D5D0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:18.818{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:18.767{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70740300C2B90335E48E2746A922FC5,SHA256=779D70731A47F51028E39FE79D4A9C2995BE72C9AD14E8B1F2D23D26305B81F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:18.121{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:19.977{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301F2C2864AA76AE6BC2D4E6EF2637E7,SHA256=F6B4E0131B598EC695C70D2961BE7DD553DFDDD5B730056C12500354C1F6D001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:19.860{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74114463569F5BBD5B14C0297F43C6ED,SHA256=BA541B502759FD659C357274E26EBD9EEE853C5F2832E2C3F5F4D13C56B50541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:20.970{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91B70F86B08FEC44414BEDE7B7E96FD,SHA256=805E3E6DFDD2A9B61ECE84A32A19B9CB25F5F68D831636DCA803FC302CAB4C18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:16.730{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56808-false10.0.1.12-8000- 354300x800000000000000012951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:17.175{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49939-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000029843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:21.087{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE459E250CFE23836E15ED5D3343083,SHA256=95F6470D316CD74C9BDE39AE0B3ED3B374A44095C63CC873DED9138F18E465FE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000012953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:43:21.650{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9299f-0xbc1a26d2) 23542300x800000000000000012954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:22.066{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42902B2A4598791E691598A077C71E1,SHA256=8B2CA254B6BB11B0EED76BE52438A84106FE5655F0C278DF3DCF9EA135DC123B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.717{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.712{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.360{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.339{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.323{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.318{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.311{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.307{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.267{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.261{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.245{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.236{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.231{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.193{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.185{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.172{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000029849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.167{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C89078FA40405C5F322E308E238AAD,SHA256=2A398890C7A829A7F303918528A749C7A1C2A0D453C1049C5D6E4100763DF0E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.160{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.146{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.094{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.971{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-385B-63C5-8305-00000000AF02}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.971{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.971{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.971{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.971{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.971{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-385B-63C5-8305-00000000AF02}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.971{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-385B-63C5-8305-00000000AF02}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.972{FCCA13C7-385B-63C5-8305-00000000AF02}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.487{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-385B-63C5-8205-00000000AF02}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.471{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.471{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.471{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.471{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.471{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-385B-63C5-8205-00000000AF02}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.471{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-385B-63C5-8205-00000000AF02}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.474{FCCA13C7-385B-63C5-8205-00000000AF02}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:23.208{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4B144573CFC349DC6D6724BDA2B27C,SHA256=8B17A78E1ADD60F409444B0F43A1F2AFBD999EE34309526C02C8AAC21CA28277,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:20.010{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 354300x800000000000000012956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:19.507{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49940-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:23.156{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E942119F26EFAA13A04AAE409B584FDB,SHA256=3A2B31D903ED3A76ED615B81855FDF550C30350832A37CB2C2336B35CAA4E00A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.776{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.775{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.772{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.767{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.766{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.760{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.603{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-385C-63C5-8405-00000000AF02}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.603{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.603{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.603{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.603{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.603{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-385C-63C5-8405-00000000AF02}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.603{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-385C-63C5-8405-00000000AF02}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.605{FCCA13C7-385C-63C5-8405-00000000AF02}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.513{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DC1ED1DED0ED30873CF6DC72DD9289FE,SHA256=03FC637B88D3E049D7A8752D6065FB29B1DD59A4A6051EA0C8C4A8EFE0700076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.461{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F8A7E335496A34B405BAA8C148BA4716,SHA256=1206423EC0134B42D921CA98011AC653BF56A66AD80C242FD702D102DE96E2B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.327{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3301EDB492BF96D0904FF1B443B742C,SHA256=00CE9B5E2FADF161D9A2007B0F9B0D1E9CBCB454E9EC85AC462F32646AEBB57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:24.266{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AA16EF61DB03DA1C743F50B696DD0D,SHA256=D614C2211FB57FC88BC206599041168C00A82F956552BE06E0E4825B597FED17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:24.156{FCCA13C7-385B-63C5-8305-00000000AF02}42566756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.730{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E862A80DDF5C93A07FB9DE4F7310834,SHA256=3F00F50D4D02F335C332C7526E8621FBB8F6FFC345AEF2DE95F964860A95A29B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:22.667{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56809-false10.0.1.12-8000- 10341000x800000000000000029932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.440{FCCA13C7-385D-63C5-8505-00000000AF02}57285392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.412{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-385D-63C5-8505-00000000AF02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.412{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-385D-63C5-8505-00000000AF02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.412{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-385D-63C5-8505-00000000AF02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.405{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.404{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.403{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.382{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.372{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.358{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.332{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000012959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:25.368{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B923208C0CD92E67E6D5BC0B624CF3D5,SHA256=1A506E5D22C7014D4CC696615C7F4E046D0C846B0487831BD4A2565AC841A53A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.325{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.315{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.311{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.309{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.306{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.304{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.303{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.300{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.297{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.296{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.296{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.295{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.293{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000029908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.273{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-385D-63C5-8505-00000000AF02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.273{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.273{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.273{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.273{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.273{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-385D-63C5-8505-00000000AF02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.273{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-385D-63C5-8505-00000000AF02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:25.274{FCCA13C7-385D-63C5-8505-00000000AF02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.861{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF597F1E4752B3C894CA5F863C11892,SHA256=254D338A7C0835790218DFCC6BDC74F2ED11E4A124BADE9A9DE27EB15C656410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.564{FCCA13C7-385E-63C5-8605-00000000AF02}67885136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.399{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-385E-63C5-8605-00000000AF02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.399{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.399{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.399{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.399{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.399{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-385E-63C5-8605-00000000AF02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.399{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-385E-63C5-8605-00000000AF02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.400{FCCA13C7-385E-63C5-8605-00000000AF02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:26.450{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C9D5393FE41155E3F9EE7F61042408,SHA256=058F2C6BEBB4168B3B6C5277C272FB52B60AAEB83B941ADE20E07F4C1500E86B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.193{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.193{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.193{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.193{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.193{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.193{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.193{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.096{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.096{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.096{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.096{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.096{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.096{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.095{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:26.094{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.976{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F669168B1D4E2E01D312522B0BE4EB,SHA256=C9DCFF22F9A8E57C59D8D52A5AF9BAF1160B6E711BE96D9E98603355ACEF3376,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:24.630{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49941-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:27.786{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2E0E347D59834339ED8935CE867AD00D,SHA256=CBCAC839A2330EC01532E2C7495C1B05046D891CF87824A1C1C140237A961DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:27.552{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA59DA92EE17094CBD3D8C7D865A460,SHA256=320D963740C73550701DA3F7C679A93035F7F3D8E33748FC12963AEA23EB96B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.383{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.383{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.383{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.382{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.382{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.380{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.380{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000029991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.281{FCCA13C7-385F-63C5-8705-00000000AF02}46086500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.078{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-385F-63C5-8705-00000000AF02}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.078{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.078{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.078{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.078{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.078{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-385F-63C5-8705-00000000AF02}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.078{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-385F-63C5-8705-00000000AF02}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:27.079{FCCA13C7-385F-63C5-8705-00000000AF02}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:28.626{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9325B8A7B63E8B0BDB698179C242F71,SHA256=A160A3F5738BE066F42584972E97B8AAEC190088E2701702A46414B790DE8894,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:29.976{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:29.969{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:29.959{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:29.950{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:29.940{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:29.930{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:29.927{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 23542300x800000000000000012965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:29.715{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52B10308EF9B10443F94603CE8FB9D9,SHA256=63A710156C8FB27DFD575DD8CF38F31CB13C6F23CCABA33D5D83DD13EE5BA948,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:29.077{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3861-63C5-8805-00000000AF02}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:29.077{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:29.077{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:29.077{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:29.077{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:29.077{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3861-63C5-8805-00000000AF02}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:29.077{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3861-63C5-8805-00000000AF02}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:29.079{FCCA13C7-3861-63C5-8805-00000000AF02}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:29.049{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0895F3CEF2FFF3559C1FD1F0CC4DAC,SHA256=C2C21F928AC9A13199C1BE77B14AFADD0B91965AA112FF91304214196649921E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.970{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0CC84FB5403E324FD4BF911DB61B74,SHA256=49E59B70F4BA9F26EA0F2895C1F313EE50B1E90F9025603C9D364BFAED64686F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:30.788{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:30.788{FCCA13C7-30ED-63C5-1400-00000000AF02}10281540C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:30.788{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000030009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:30.133{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6CB12C3726356A2D593955366DC31D,SHA256=9A1FA04DC1FB2A186F2CE127DBB9C572654792B89CC88B1F2ED9FA1B88DBE0BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.095{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.094{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.092{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.091{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.088{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.085{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.085{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.084{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.083{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.081{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.080{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.079{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.076{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.072{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.070{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.065{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.059{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.047{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.046{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.039{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.034{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.026{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.015{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000012973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.008{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 23542300x800000000000000012998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:31.997{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79C2ABEE2A492B07BF517A85CA44DE8,SHA256=FA95EFF7609B0CF549EF4FB843A5CA2E66881A2D7BA4315CC1641248446032E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:31.842{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63235D9884C13070A5642F2E8900EA3F,SHA256=5AF33FD6591E43CCF9E9079F8C0EE5E01D7FA7A07F39927D4194DA179F99A55E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:28.597{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56810-false10.0.1.12-8000- 23542300x800000000000000030013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:31.209{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F30EDE8F7F3788E7E7F970F59C09E0,SHA256=74F24B595D79AE3F33CBD6FCF8934C51F619DF8800ABF8BC0DD2E0F07A14583A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:32.718{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:32.718{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000030016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:32.291{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A9F66ADEAA95AD731776891041A92D,SHA256=4EC429D06BE86BCB1BA84D3F589D370092E2B74EDE6591757721E5B64755F50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:33.377{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EF2AF443BE921D33CA25D0A98A89AA,SHA256=8EAABD2C2073764A461E77A2E33925B8F230D1BF2B0EDE4E91C1E1F7BFF5F9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:33.102{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2307CB449F15A0387FB0D558090DE61,SHA256=07E018551F707212FD4D4F1FF742AF569874F08BB79EC70B52A5E63EC0F0062B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.945{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4DACAFD91D013B8252F88BC5EFF9C0,SHA256=B7FF9433DDB9F9912A5DC6001F25DE82B6CBC106A4A73C8F8EE466C715E49CA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.500{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.500{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.500{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.499{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.499{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.499{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.490{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.490{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.489{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.402{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.402{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.402{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.402{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.402{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000013000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:34.201{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA07634934AA83BBFC6A97DE3354CF70,SHA256=B34C6E35F7D2D142746FA1A893BBA4708B4288EFD3BA54B5CB409B4995E46A0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.387{FCCA13C7-3387-63C5-9D01-00000000AF02}12845992C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.387{FCCA13C7-3387-63C5-9D01-00000000AF02}12845992C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.387{FCCA13C7-3387-63C5-9D01-00000000AF02}12845992C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.387{FCCA13C7-3387-63C5-9D01-00000000AF02}12845992C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.371{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.371{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.371{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.371{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.358{FCCA13C7-30EE-63C5-1600-00000000AF02}12921824C:\Windows\system32\svchost.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.358{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.343{FCCA13C7-3866-63C5-8A05-00000000AF02}3483124C:\Windows\system32\conhost.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.326{FCCA13C7-3383-63C5-8701-00000000AF02}33724520C:\Windows\system32\csrss.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.326{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.326{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.326{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.326{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.326{FCCA13C7-3383-63C5-8701-00000000AF02}33725032C:\Windows\system32\csrss.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.326{FCCA13C7-3387-63C5-9D01-00000000AF02}12844284C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+22ac82|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+1700c0|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+16c526|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000030030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.330{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 13241300x800000000000000030029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:34.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:34.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001d3972) 13241300x800000000000000030027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:34.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92997-0x615350fc) 13241300x800000000000000030026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:34.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0xc317b8fc) 13241300x800000000000000030025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:34.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a8-0x24dc20fc) 13241300x800000000000000030024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:34.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:34.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001d3972) 13241300x800000000000000030022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:34.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92997-0x615350fc) 13241300x800000000000000030021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:34.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0xc317b8fc) 13241300x800000000000000030020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:34.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a8-0x24dc20fc) 23542300x800000000000000030065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:35.526{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6528C27CC450094E55D2601B46D0B5,SHA256=C6EB282B27D4467AEAC35790AF8AEB23F55093F687C4AD91F9115D708D5360D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:35.299{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AE97D9AAB6F68A0583ABA297466DD2,SHA256=5C36CB0DFFA0E070E916456F5C515645065FBA3EAC46617A67A0BB0E33018478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:35.301{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=34E9490BDC5C3E5D6E24C3116EBFC21C,SHA256=7EE796A35488A106046A43A05D3D6A3A7A6B002D11782EA33AED5F0E8FB0293D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:30.533{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49942-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:36.618{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC068E8D80DD377EE3A81CB43B96FBB,SHA256=A501501889810CE903FF886B007BB4EDE43D7CC829E6472CBA0EAC907DFDE0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:36.401{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045C9E737C138EA7096F359CCF8C75DA,SHA256=410BBFCE27420D4FECF483D5954163210317C0568917C42215355975464D0D08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:36.383{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000030070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:36.383{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000030069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:36.383{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000030068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:36.381{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000030067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:36.381{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000030066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:36.381{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 23542300x800000000000000030074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:37.710{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9820C102A6E5BB6CACA75C3EB1F43DF,SHA256=7A6AC650EC128EA08776CB9DBEC6A31BA7C0AA4E72F5E5798B538551EB4959E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:34.598{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56811-false10.0.1.12-8000- 23542300x800000000000000013004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:37.491{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A642BB87996D664147EFD07AD5936B5,SHA256=3E0D6A3503E8BACC1A71720AD0C7866F0737805CDA726F0273471F899373C457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:38.688{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4910198BC946257FF513A6068A754E8,SHA256=F30FB4CCDE9EA16ED4F70832086D37C860FFC7E86857EFA4277EA0D8ACA52EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:38.570{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B543F9FAC1561A0951DB6F68E6163A,SHA256=B6DE95C64E960C65DC2F6C3C46A931070F0FB97BDCCBB85849E102A5B591ED11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:39.790{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD86DB12F742BF03E9E4E0752B53CB3,SHA256=07698FFC44F4433D7E6EF8428577485EBD559A3ED583E702A07586E1E96148B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:39.672{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0308023DE15417C7C479C12BE768D5B3,SHA256=98EFAFD65D6B2C274DF1DF9B61C3585C3BF82FB60F4FF3CAA716678428EC7EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:40.877{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD892A63D75F9BD7F036E9DFE880D88,SHA256=B89693DE529A41C9CEE98120A32820C53DE10A846F8F1AEC265D7C0356B5EDC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:40.765{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4562398B5DEFC018CD5CC3C81033D0A,SHA256=04939A359E7A1ECB473E060EFA0C486C5F1E9E93F1A9AEE6291504F666DE252D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:36.414{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49943-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:41.858{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E58C2DFA139CD4BC2ED496153EDE8A1,SHA256=151C13F9DD9463F93127F1607E24D2818AEA178D0F2DF7E5C91B439D8FE4E327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:41.968{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE289E769DFC5FE5AA83586CF7AA352,SHA256=A6956D570F07BF67644BE948D5A4BFFD1B58ED60EB33524529645092016D4936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:42.964{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B25327D03C278095E011DCB7B2B2C09,SHA256=93CB9F1ED284E416614C740EE136A14BDE856D5A562DA6F2CB7DC97F08F1996D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.656{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.651{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.306{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.288{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.281{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.254{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.223{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.211{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.173{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.163{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.156{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.147{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.098{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:42.094{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 23542300x800000000000000013011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:43.781{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B1B15C68409697AB83C8FCF338F37674,SHA256=6D0D02B57E5BBFFB95FECF10C92E2F38461B77EE7C0F3580045EA0AED32AA978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:43.930{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=513E96675C9F4D041E3538D927D0A1AE,SHA256=AC336B6D266984603EB2334B00A2D73CD3DCFF6D80828D27CDF41A9EA69F8A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:43.012{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FB0ADB9B2BF9909D04ED9A0EE675EB,SHA256=D87B470D2C42944531FAC076A4D025EF8B8031A2166983E6E7941953D85DCB9F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000013022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:43:44.975{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000013021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:43:44.975{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00143816) 13241300x800000000000000013020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:43:44.975{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92997-0x67d8b3be) 13241300x800000000000000013019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:43:44.975{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0xc99d1bbe) 13241300x800000000000000013018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:43:44.975{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a8-0x2b6183be) 13241300x800000000000000013017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:43:44.975{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000013016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:43:44.975{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00143816) 13241300x800000000000000013015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:43:44.975{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92997-0x67d8b3be) 13241300x800000000000000013014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:43:44.975{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0xc99d1bbe) 13241300x800000000000000013013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:43:44.975{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a8-0x2b6183be) 23542300x800000000000000013012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:44.062{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7FDD501835189A0CE00508CCD6A091,SHA256=F445454BD851519EE21CF655EB823FA84BE6E90914D877C771DF382F79ADBD4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:44.713{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:44.710{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:44.705{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:44.703{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:44.702{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:44.692{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 354300x800000000000000030103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:40.572{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56812-false10.0.1.12-8000- 23542300x800000000000000030102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:44.084{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA8660D9BCD338FF590C3810527C856,SHA256=1A61ED91E2C4D73711DAEE3F1F98D2BD94091119788E8A1F41778AE9E72FE0AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:41.531{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49944-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:45.157{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2458E5C4822E795DDCD6AB16E477111,SHA256=5A0D3C59F1D09A54C84670EBE6D3E69D9C361E7C72FB21D3879D79BE3FCBF2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.526{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-030MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.333{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.333{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.332{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.331{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.330{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.308{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.301{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.287{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.253{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.244{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.240{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.238{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.236{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.233{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.232{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.228{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.225{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.224{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.223{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.223{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 10341000x800000000000000030111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.221{FCCA13C7-3392-63C5-AF01-00000000AF02}33766116C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D88190) 23542300x800000000000000030110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:45.157{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3674F637CEE1C23072530DC79A967E,SHA256=0B45CE3DDE3FFDB4750E4E1FC4AF52D316419A3BEA593866E3BC1FA460F6F895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.729{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B10ABF9EC8397A36272B9A6D2469E23,SHA256=2A7979EDB24AF03D4798A190914FAEE7B07BE70445CA0D2AB8125980C4151408,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.595{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.595{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.595{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.595{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.595{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.595{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.595{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000030144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.539{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.319{FCCA13C7-3387-63C5-9D01-00000000AF02}12844284C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000030142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.319{FCCA13C7-3387-63C5-9D01-00000000AF02}12844284C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 23542300x800000000000000013025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:46.233{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E89E27794722639C4EA1D1CAB7FACB,SHA256=EB50EEBB0BA62309885919360DB7713CA7127BF64900188AB61000CC0AEEFCFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.147{FCCA13C7-30EE-63C5-1600-00000000AF02}12921824C:\Windows\system32\svchost.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.147{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.147{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.131{FCCA13C7-3383-63C5-8701-00000000AF02}33723484C:\Windows\system32\csrss.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.131{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.131{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.036{FCCA13C7-3387-63C5-9D01-00000000AF02}12844284C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000030134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.020{FCCA13C7-3387-63C5-9D01-00000000AF02}12844284C:\Windows\Explorer.EXE{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000030156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:47.699{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:47.699{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:47.699{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 23542300x800000000000000030153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:47.460{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09366C6942D98CCFE68363EF816BF087,SHA256=C6462AB8C88374D4035B6F222052BD2B977760AE8DE7A50BC0191753BA73228F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:47.317{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3DD077FE512328E149A93596FBC425,SHA256=948F729BCDB221B79871ECEE04B6C8EBD57EAC53517C13BDC7C1D27C3A33859A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:47.207{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:47.206{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:47.206{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000030240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.992{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.992{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB4DDCDF8083B764A5C38C6FBBD1A66,SHA256=1FF54CB4E54EDA8155DF08DFC2378E231C0D24CB828057951B0290544308E202,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.992{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 11:10:32.859 23542300x800000000000000030237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.992{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=91AB6923836E132EA76F254AEF9C58C5,SHA256=16C9E1222549B7D4B0C69E63F58090A8F486013454552F6774032C5501952902,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.823{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.823{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 23542300x800000000000000013030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:48.409{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403F1F7A7E6C3B2375836F48B2678BD3,SHA256=6033BB1DDB6642C1508300663ECA5830704C0DC1DF298EE169337AD43AEE88FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.823{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.823{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.822{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.822{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.822{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.822{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.820{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.820{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.820{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.820{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.820{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.820{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.819{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.819{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.818{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.818{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.817{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.817{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.816{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.816{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.816{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.816{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.814{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.814{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.814{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.814{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.812{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.812{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.811{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.811{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.811{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.811{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.810{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.810{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.810{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.810{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.808{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.808{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.808{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.808{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.808{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.807{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.807{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.805{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.805{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.805{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.805{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.803{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.803{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 11241100x800000000000000030185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.538{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.538{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B665641C9734B54DD290D7ABBCDAA5,SHA256=A46CE31F65D40E979888E145F05C45215DDD2BAD8B06544EA43B2F9B20668D8E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.194{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSysmonDnsEtwSession.etl2023-01-16 11:11:56.104 11241100x800000000000000030182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.194{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSysmonDnsEtwSession.etl2023-01-16 11:11:56.104 13241300x800000000000000030181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=EEC55D34B366966D2BE7B525883EE012227E5B55A9087F81A609EDE73268A249 13241300x800000000000000030180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 13241300x800000000000000030179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000030178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000030177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 16341600x800000000000000030176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local2023-01-16 11:43:48.194C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=EEC55D34B366966D2BE7B525883EE012227E5B55A9087F81A609EDE73268A249 13241300x800000000000000030175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000030174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000005) 12241200x800000000000000030173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000030172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000030171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000030170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000030169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:43:48.194{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000030168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.194{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.153{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000030166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.153{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000030165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.153{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3872-63C5-8B05-00000000AF02}4008C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000030164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.136{FCCA13C7-3866-63C5-8A05-00000000AF02}3483124C:\Windows\system32\conhost.exe{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.136{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.136{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.136{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.136{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.136{FCCA13C7-3383-63C5-8701-00000000AF02}33724520C:\Windows\system32\csrss.exe{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.136{FCCA13C7-3866-63C5-8905-00000000AF02}66122172C:\Windows\system32\cmd.exe{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.116{FCCA13C7-3874-63C5-8C05-00000000AF02}6596C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 10341000x800000000000000013036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:49.999{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:49.989{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:49.973{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:49.953{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000013032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:49.948{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 23542300x800000000000000013031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:49.499{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB4ECBD151F6456FE68C5D181FFDFE2,SHA256=D8EB48F710C6CD5CCA8EEE13ED733623BAC3C92996173205B6270486F1B113F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:49.623{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:49.623{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A83CD0190DC821D3A069E0ED05952D,SHA256=19140D573EA44D325305EC060CBFAA6272022277EBAC2BF77EBBF55287CC825C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:49.607{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:49.607{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 23542300x800000000000000013064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.741{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C7B2A5B7F49E43906A2307D8E87F53,SHA256=5253572E8F08CCE34DF5FE082C758933F7B3FEC3C9CA5FEB299A130508A3B9DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:50.744{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:50.744{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A4BBBBC2C12A634D760C18CE296479,SHA256=D202BDAAEB05D0A967E96192553F57CDD6B601BD8B8F923500D922A72D960567,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:47.426{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49945-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000013062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.154{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.150{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.148{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.147{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.144{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.142{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.141{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.140{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.139{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.135{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.133{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.132{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.129{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.124{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.121{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.116{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.108{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.093{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.090{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.083{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.077{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.070{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.061{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.050{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.018{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:50.012{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 13241300x800000000000000030320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 13241300x800000000000000030318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\ForceRefreshFGDWORD (0x00000000) 13241300x800000000000000030317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\PrevRsopLoggingDWORD (0x00000001) 13241300x800000000000000030316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\PrevSlowLinkDWORD (0x00000000) 13241300x800000000000000030315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\LastPolicyTimeDWORD (0x0159715f) 13241300x800000000000000030314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\RsopStatusDWORD (0x000001f5) 13241300x800000000000000030313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\StatusDWORD (0x00000000) 13241300x800000000000000030312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A}\0\lParamDWORD (0x00000000) 13241300x800000000000000030311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A}\0\GPOLinkDWORD (0x00000001) 13241300x800000000000000030310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A}\0\GPONameLocal Group Policy 13241300x800000000000000030309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A}\0\LinkLocal 13241300x800000000000000030308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A}\0\Extensions[{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}] 13241300x800000000000000030307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A}\0\DisplayNameLocal Group Policy 13241300x800000000000000030306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A}\0\FileSysPathC:\Windows\System32\GroupPolicy\Machine 13241300x800000000000000030305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A}\0\DSPathLocalGPO 13241300x800000000000000030304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A}\0\VersionDWORD (0x00160016) 13241300x800000000000000030303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A}\0\OptionsDWORD (0x00000000) 12241200x800000000000000030302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A} 12241200x800000000000000030301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:43:50.553{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{F3CCC681-B74C-4060-9F26-CD84525DCA2A}\0 12241200x800000000000000030300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:43:50.553{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\SECURITY\RXACT\Log 13241300x800000000000000030299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\SECURITY\Policy\GlobalSaclNameKey\(Default)Binary Data 13241300x800000000000000030298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\SECURITY\RXACT\LogBinary Data 12241200x800000000000000030297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:43:50.553{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\SECURITY\RXACT\Log 13241300x800000000000000030296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.553{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\SECURITY\Policy\GlobalSaclNameFile\(Default)Binary Data 13241300x800000000000000030295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\SECURITY\RXACT\LogBinary Data 12241200x800000000000000030294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:43:50.537{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\SECURITY\RXACT\Log 13241300x800000000000000030293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\SECURITY\Policy\PolAdtEv\(Default)Binary Data 13241300x800000000000000030292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\SECURITY\RXACT\LogBinary Data 10341000x800000000000000030291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:50.537{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000030290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 11241100x800000000000000030289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csv2023-01-16 11:27:10.403 23542300x800000000000000030288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=0AEDEF3F98A680A334ED235D4D1148B0,SHA256=21B8564D402A5C1BB2DD31C7C15AA4CB8860CAA56C02C320B823B0EA916885E0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 13241300x800000000000000030286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x800000000000000030285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x800000000000000030284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d9299f) 13241300x800000000000000030283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0xcd51e45e) 13241300x800000000000000030282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d9299f) 13241300x800000000000000030281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0xcd3c6f04) 13241300x800000000000000030280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x800000000000000030279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x800000000000000030278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x800000000000000030277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\Extension 13241300x800000000000000030276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\ForceRefreshFGDWORD (0x00000000) 13241300x800000000000000030275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\PrevRsopLoggingDWORD (0x00000001) 13241300x800000000000000030274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\PrevSlowLinkDWORD (0x00000000) 13241300x800000000000000030273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\LastPolicyTimeDWORD (0x0159715f) 13241300x800000000000000030272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\RsopStatusDWORD (0x00000000) 13241300x800000000000000030271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\StatusDWORD (0x8000000a) 12241200x800000000000000030270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances\f2fc11c2-f584-4179-bd28-22894386016b\053f80d7-b472-46c1-afb4-b3fbc5bed2c1 13241300x800000000000000030269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances\f2fc11c2-f584-4179-bd28-22894386016b\053f80d7-b472-46c1-afb4-b3fbc5bed2c1{f3ccc681-b74c-4060-9f26-cd84525dca2a} 13241300x800000000000000030268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\Extension{f3ccc681-b74c-4060-9f26-cd84525dca2a} 13241300x800000000000000030267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\0\lParamDWORD (0x00000000) 13241300x800000000000000030266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\0\GPOLinkDWORD (0x00000001) 13241300x800000000000000030265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\0\GPONameLocal Group Policy 13241300x800000000000000030264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\0\LinkLocal 13241300x800000000000000030263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\0\Extensions[{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}] 13241300x800000000000000030262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\0\DisplayNameLocal Group Policy 13241300x800000000000000030261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\0\FileSysPathC:\Windows\System32\GroupPolicy\Machine 13241300x800000000000000030260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\0\DSPathLocalGPO 13241300x800000000000000030259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\0\VersionDWORD (0x00160016) 13241300x800000000000000030258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.537{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\0\OptionsDWORD (0x00000000) 12241200x800000000000000030257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:43:50.521{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a} 12241200x800000000000000030256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:43:50.521{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\0 13241300x800000000000000030255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.521{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\SlowLinkDWORD (0x00000000) 13241300x800000000000000030254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.521{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 13241300x800000000000000030253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.521{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 10341000x800000000000000030252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:50.506{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000030251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:50.506{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000030250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.506{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 10341000x800000000000000030249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:50.396{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000030248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.396{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x800000000000000030247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:50.396{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-221.attackrange.local 10341000x800000000000000030246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:50.396{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000030245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:46.524{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56813-false10.0.1.12-8000- 23542300x800000000000000013065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:51.876{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D1C496BF7DA7296C0593EB127A277DC,SHA256=7B89DB92DCB66E5D325B492E328A22572DB5C58B6B66DBB8DA6338B5D8E15A89,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.812{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.812{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D27167CD5F7148FD0824CCFBFDBB7F,SHA256=D99E55E9FAE1638C95DFF63F35C06C4C4CEEACF9B83508E04C1A588EC98DA8F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.989{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56817-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local49666- 354300x800000000000000030344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.989{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56817-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local49666- 354300x800000000000000030343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.988{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56816-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 354300x800000000000000030342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.988{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56816-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 354300x800000000000000030341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.887{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56815-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000030340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.887{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56815-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000030339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.879{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56814-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000030338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.879{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56814-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 11241100x800000000000000030337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.514{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 11:11:01.844 23542300x800000000000000030336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.514{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DC43490B033A4CED64591B72F42A529,SHA256=AA883F678DE34DC9F6CA1459E76B4592AE9A0A45DD4B16A74FD1147935353893,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:51.452{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:51.452{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Abgrcnq++\abgrcnq++.rkrBinary Data 13241300x800000000000000030333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:51.295{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:51.295{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000030331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.295{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.295{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.295{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000030328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:51.295{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 10341000x800000000000000030327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.295{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.295{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.295{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.295{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000030323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.108{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-16 11:43:51.108 23542300x800000000000000013070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:52.971{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0072695412FD1C13268CD3C6E938FE,SHA256=61B0AEB771D8881007DAAA6C22F8BD4DAC04715660537045B4848C982E978D2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:52.917{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:52.917{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:52.917{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:52.904{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000030351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:52.893{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:52.893{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1291D285F2A8945FFE9A81C66C3BAC,SHA256=17EE11E5B46402C8F73CB3279D2BFF5BEEB80A7CBA6F0C80E6D9043EC57DED3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.993{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56818-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000030348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:48.993{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56818-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 23542300x800000000000000013071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:53.964{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3721264E0344B93AE85A3BE03C61AE37,SHA256=B7E8B34655407840C820A8A08840969D712F32B7A093EE90C70C073ED1BD572F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:53.997{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35844D3A965CFAF80B6F24CAF53E031B,SHA256=6123CB5509724890E9102B65BB2B75498E020420B5161D240FD95195B6A00520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:54.718{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8E98D493E2D56804D5918DA442291AC1,SHA256=B00FCD13B5368317F34B9932C036184134972F5D04458B8C3519239A2701A714,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:54.463{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:43:54.463{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x800000000000000030353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:53.997{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000013072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:55.067{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E561574A76E5267172EC17D230E737,SHA256=E3026A23454BDE5B69A97857D878099F12BFFBED1473655CFF33285CB1FC6B6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:51.653{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56819-false10.0.1.12-8000- 11241100x800000000000000030358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:55.085{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:55.085{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A7099BC5A6C6D283DF5E89826DD31F,SHA256=0AD4AABD7CF5DC5B79316C3B3BE63C27C5B7F6357FB59EE86A5E9D3682CD18B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-387C-63C5-AD01-00000000B002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-387C-63C5-AD01-00000000B002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.829{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-387C-63C5-AD01-00000000B002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.830{312A7A06-387C-63C5-AD01-00000000B002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.795{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B2FE351CFA04A8A6197C13FCF5D75B11,SHA256=BBC0B4B58ECFC0D8D10D9D67C78031C37B58D048CBD0D18DACA4461DB5404733,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:53.392{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49946-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000013086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-387C-63C5-AC01-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000013085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBD188BDA65EEE8ECDAEF3477F6166C,SHA256=35A8D9A932CCC6E4D7E43A4342B3BC163B098F4B12FADBFD07140C3217BC23E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-387C-63C5-AC01-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.180{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-387C-63C5-AC01-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:56.181{312A7A06-387C-63C5-AC01-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000030361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:56.147{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:56.147{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6C70AD1A3AEF5836B3A78FAEAB1EE9,SHA256=F5707AD60449437B4E1A93904A3C4270E8C997AEDB731F06494105FDF1D1D683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.980{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=03E8E9EBA088646CCC7C7DAA8B998DB4,SHA256=B2933BEBCAA4F50AF80441BFBFE706A2689AF94E45524B89CB3BF3704F16E1A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-387D-63C5-AE01-00000000B002}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-387D-63C5-AE01-00000000B002}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-387D-63C5-AE01-00000000B002}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.430{312A7A06-387D-63C5-AE01-00000000B002}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.427{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F454B4A16EEEE87B435348D68C1A1A72,SHA256=310D7EC98A728708795F0EE51D9384A816227B8C59144451BBB7B46049CAD3FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:57.505{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 11:14:07.413 23542300x800000000000000030364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:57.505{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:57.239{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:57.239{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1203AEFA0733BABE40517BFE1086E857,SHA256=02C80CB718011B145F3CFA97C83291211FCE90289AAF13F13EA27D4A7118EC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.240{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59A5B1AE351D173E105BC431215074E9,SHA256=75D514068E2406F3F08C3F2BF6DF9F98011EAA3E30ECFC12B827577C398E2E57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:57.017{312A7A06-387C-63C5-AD01-00000000B002}3363776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.798{312A7A06-387E-63C5-AF01-00000000B002}1896912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-387E-63C5-AF01-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-387E-63C5-AF01-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.657{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-387E-63C5-AF01-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.659{312A7A06-387E-63C5-AF01-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.486{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0167646CACD59D9CBB446FD8F024102F,SHA256=8E428013FDDD681C0B9E656B55D3A82E8475CDD4C982D471E80A8C626E51BB3B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:58.328{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:58.328{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55F4A4E27A9368B0442CAEA5C23CC96,SHA256=2D4172737E6C0B1BA3C23CD8AE4EF68803DC7B9A332AA74823368A36CA36D1CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.949{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-387F-63C5-B001-00000000B002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.948{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-387F-63C5-B001-00000000B002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.947{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-387F-63C5-B001-00000000B002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.946{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-387F-63C5-B001-00000000B002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.945{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-387F-63C5-B001-00000000B002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.945{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-387F-63C5-B001-00000000B002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-387F-63C5-B001-00000000B002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-387F-63C5-B001-00000000B002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-387F-63C5-B001-00000000B002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.704{312A7A06-387F-63C5-B001-00000000B002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:59.563{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FCEC4DAAAA81B12985192586EBA523,SHA256=B2B5B83A9C883FB7C71082794BE1AB887D71F7643662103617D03F430E92C98C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:59.412{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:59.412{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E454B71A30847E6A65F56A7779AF5EE,SHA256=67FE54E62D73C5FABB2F6C1E0F7ECC85937E4B76F70C42AE7337B0D20625669D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.895{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D175045FD59F9791D9FFFE338A9A9DBF,SHA256=7826FB87B00C3D2E4BADB5027973EC93C7B3540B50270BE8577B53E73D7A81E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:00.515{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:00.515{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FE3DFA4F86AA3A3AE97B86B8CDBACB,SHA256=BBD03F2BBDB317D748CCBC80D7ED48BE61A2DD53006C94582231084AC77A0A07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.363{312A7A06-3880-63C5-B101-00000000B002}19161056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3880-63C5-B101-00000000B002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3880-63C5-B101-00000000B002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.202{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3880-63C5-B101-00000000B002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.203{312A7A06-3880-63C5-B101-00000000B002}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:00.015{312A7A06-387F-63C5-B001-00000000B002}868920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000030371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:56.713{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56821-false10.0.1.12-8000- 354300x800000000000000030370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:43:55.968{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56820-false10.0.1.12-8089- 11241100x800000000000000030375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:01.610{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:01.610{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD288632E04309351A88769156A56FF,SHA256=05B0B0A6A297FBE71F726571D6851997219FB735C42BA8D33860DEA4B02869B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:43:58.499{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49947-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000013182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.353{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3881-63C5-B201-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.350{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.350{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.350{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.349{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3881-63C5-B201-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.348{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3881-63C5-B201-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:01.349{312A7A06-3881-63C5-B201-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.705{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.700{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 11241100x800000000000000030396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.653{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.653{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E300DBC356A684AC0C8B5603A3BAF41B,SHA256=5662784D8E1775A941EFB484C61D0D69CB0644E9E7AFA45BA544A07D1DACB698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:02.592{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA9F4492AB93E509D3CB2FDA91A1C1B2,SHA256=7D6FD6DB9845334C7FB3C349C4063BFA10D8F98A29225297895F4BED96AC1CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:02.112{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3EEF3FBEB70473BDF6B8F84835A2FE,SHA256=DE1336BEEF2F703C31F65CCDCBF2B0CC7824BCA8727ADDEBF0C35B3DDB58602D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.314{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.298{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.292{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.289{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.251{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.245{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.229{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.221{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.173{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.160{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.145{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.137{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.122{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.114{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.101{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.099{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 11241100x800000000000000030400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:03.746{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:03.746{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184866C43AFB347A8049C39A2B9B568A,SHA256=D4D2572BF23F51B0A128FC85FE78A82CCA1205B65BB719099E7C50B1A8F81D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:03.202{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4863F4B15C3B0E2A1264D1237C9AA5,SHA256=494E8AC9D41FFCF6263D93E74CE8ADA598B1A78A6440BA0318BBC136BA7A49C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:04.813{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:04.813{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FAFC55F910140675BACDED887C76B9,SHA256=7DA2DBAEB4936509C4BBD81F99423DDBB5AD69F5F8E5937FD121AF71ACBCD45A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:04.780{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:04.778{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:04.774{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:04.771{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:04.770{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:04.758{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000013187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:04.299{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66CCB263C982896FFED2A243843F49E,SHA256=4F4C0A439DA71586B7A3DC3A83CA2880C973D5A9EFE189233CA1C9BFE9625B92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:04.501{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000013188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:05.384{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2F9FF609613DF75A5F99F8A3FBF188,SHA256=2BD3B96D2D9BAB89B49833E5A5E0A3C5541A3F9096823AD27B8518E8FADF5DAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:02.697{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56822-false10.0.1.12-8000- 10341000x800000000000000030431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.429{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.429{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.427{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.427{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.426{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.393{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.386{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.368{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.330{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.323{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.309{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.303{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.302{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.298{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.295{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.290{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.287{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.285{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:05.283{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 11241100x800000000000000030434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:06.290{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:06.290{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC620D78DFB2B51C2BD0288CF335BC9,SHA256=4B10D25F19FBA4FF70F87DE84453C6E865C6CB16157587FBE151DC1171F7860E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:06.486{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD21A4B73EF40EE7E8B274EC2C75AFA5,SHA256=0AFB1A4BB6DB6D53070C9AA79EAEA9FA71865FF5934CE56CCB63FE1EB02632F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:07.633{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:07.633{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5EF05C8FED6B7AF3BE07BAC6557A15,SHA256=F2205A5F1982AC245AB8B4C373AA32180B2FD9FF9FD0916F62987F87D6E9455B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:07.589{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0F4E50CA5B4349034AFFB3F1FB7B8A,SHA256=AE96B7B4CC17B7A5748A919F726C07BA397A796639F84A55A4FF3FE4A9343DD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:03.610{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49948-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000030438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:08.722{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:08.722{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA662EF976B856C2E83489ACF12BCDAB,SHA256=346FDF20C910BCBF5E9D45C8FADCF91661DC7F8A8A339462826C803FE54193DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:08.678{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B97F2A702C64BE76C9C1FDB434331B,SHA256=A0ED4F7C76108D67602E60E776275EE9EC4A9ACAC745D80398A88AF223B74AE5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:09.797{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:09.797{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE03496687C20DA873F957512515F82,SHA256=8A4A2B86340BD6A3DF5B5C1565B8B156E5338D86EBFED26E0EECFB73061746D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:09.991{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:09.970{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:09.965{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:09.959{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:09.947{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:09.940{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:09.933{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:09.929{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000013193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:09.780{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6396600ED85E39CA0295F58439742267,SHA256=7CF4A9822F184D8D0576EC8AD8A7CC6708E6A5DB82858F1D205979167D931C26,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:10.890{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:10.890{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A90BE2D57AB7B62F92F4DE6F037E12,SHA256=2AB5E225B840717121C012B555D94A3AE591020E157055229A81BDC4643A82E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.089{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.087{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.085{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.084{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.081{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.079{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.078{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.076{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.075{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.071{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.067{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.064{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.062{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.058{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.056{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.051{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.045{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.033{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.031{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.024{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.018{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.012{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000013202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:10.004{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 11241100x800000000000000030445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:11.979{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:11.979{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9445DF5CF7B27E6F3843129E1E34424,SHA256=BDFF53308EE64DD25518483C407D2A4206BBE1A20B9D6C0D323F31E71162BC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:11.042{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815E7C3471A5DBF3274138E316912A0C,SHA256=A611456C2AB159985D2E4222B3EE5668761B80DCDE45A2C95FF68E836678F96F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:08.634{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56823-false10.0.1.12-8000- 23542300x800000000000000013226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:12.196{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1A45C1E2815A1A954F3AB8A6DDAAD2,SHA256=A80097047E5EC75C27A05836E6989E5D78D55BB4961FA88BB3A034B9E31EA3C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:12.959{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 11:11:01.844 23542300x800000000000000030446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:12.959{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D3921804BA532EC090E215E4FC7F941,SHA256=D0CAB0136D4F1649649C5E6B4A935129BE762198A473B00A601BFF1DE27D46EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:13.305{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9F2564D6A80491B598E16DFD6C8F8D,SHA256=5E4CDDFED865BC441A65743584BD4FDD365CC32A215499587EA2A17DD99F094D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:09.467{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49949-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000030451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:10.316{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56824-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000030450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:10.316{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56824-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 11241100x800000000000000030449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:13.065{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:13.065{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B393267C152B6B7A122427796A3759,SHA256=1C022C08682D3BB42238D542E49983C0E90C98CBAF8892A05E59F989FD80FC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:14.394{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A1E19B824DB4088104846A007D4AE1,SHA256=2D4697F10EF3E86E77D74BD1A5AE900339E08A6A97D8627988B2BF48B1A359F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:14.158{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:14.158{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6F3F49A85336054C221D9825BCF273,SHA256=F2DF293DF983537A9813AC679C709BAB91B522840E00258BA3861068D94BEEA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:15.227{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:15.227{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647813EDFAFF8D2060A61089C30D584B,SHA256=3A77875B47E065D77415D91B8E8E9C8532AF0FCD78B1244217E090F73830BED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:15.493{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8498E6FE04A34E37E1C8AAA5A7AA25,SHA256=7D8EC2D61F22F2C49B5D6631A6D26CEE4614B0852149E24ACB961F7F1C12E5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:16.592{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DF91CFD4169FEDFCBFABD714D6101C,SHA256=B2A65E4E57BF3A48428980C7B73EAD7B77622C9C4BD720206BEA48553CCD3817,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:16.323{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:16.323{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A43F30E40FB68354CE3CCB6B603419,SHA256=5FD156B38AB5442C1EEF8CFF828003B0505DFEE37527F75D125A70A3DA6B4989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:17.676{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0747AC5C068DDCEA0C3F30A6B8A2FB34,SHA256=D0335EBE98E68CA4F043B287567B7ADEAE876097A5BD608B01232AAFA5CA997E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:14.897{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56808- 354300x800000000000000030462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:14.897{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local51631- 354300x800000000000000030461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:14.897{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local51631-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domain 354300x800000000000000030460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:14.628{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56825-false10.0.1.12-8000- 11241100x800000000000000030459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:17.415{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:17.415{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00A8B1F188099EDF01BF1B19FDD5F7D,SHA256=175C7CA512F5B86FA4DDF8C99DB5BD13C359DA85EC0143033E446F6E7BF6279C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:18.843{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:18.787{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4BCC246307063E1178C64037FD5CB2,SHA256=0FC9A08E4570B76CDD2D7FB7CCFFD1E4090FB9FB068085D2C154DB1109158A6C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:18.509{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:18.509{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508CA32585AF05D290C67B2AEBD49F26,SHA256=2ABC426B046D9A9027F4D8B958447D1FF43A0DB3F0D3EF5DC2E528F080F68F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:18.647{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-021MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:14.592{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49950-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:19.861{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F4033CE4B69065849D1FC344E98FC5,SHA256=20CEC41B4F8896C9AD063A77DDE36B16E118A6456E64056BA5D1520B3CCEEB35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:19.580{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:19.580{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25653CED9CE9685B16E6D599DF7C5A89,SHA256=B141E023D8B003BD9F93C060FB99E5AF3923AF472A2F2C0EDE6E46CF51DAB2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:19.657{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:20.945{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4E5A94C8CFF5AF26BDB45C7E289DCD,SHA256=3E247031B1B450DDE407C0EE42B62CB12E99E2D7D4B9882D15EE08DDBFEE4820,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:20.665{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:20.665{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101EF0C854EC0796B15EFAD24149789B,SHA256=2B77FF0A366EE5630E23AD5FD0A255D7716B29B93290A1061FA7EFBB7353161E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:17.197{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49951-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x800000000000000030472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:21.750{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:21.750{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD0F337C1A5E7A9C229CBF290F91B4C,SHA256=4C96C82D9CFD8B9A25E82620A8995AD459E00A2A1FFCE27FCFEAB8F7E1856E16,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:21.100{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-16 11:44:21.100 11241100x800000000000000030495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.776{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.776{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013286CD210C3ADCF6D26182AE4A0393,SHA256=48F2934A8D85D53622E4D79E6857BB515B26EF861A05AD1833940869D9EA4107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:22.042{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4FA9C4821E3E53CBBD67511C867F43,SHA256=FFC795041878EE0A64F9C87D155FC418606E04FC469B25A256F6E2A4AEFC2F84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.683{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.677{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.302{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.291{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.278{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.245{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.239{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.221{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.211{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.205{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.175{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.166{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.156{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.149{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.140{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.132{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.098{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:22.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 11241100x800000000000000030507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:23.863{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:23.863{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A9F96787CFEAD31322AC4A2EAE12F8,SHA256=C77F76CCF6A010408C6C369C49E9D1B7A443D2C0BCCFB152704F87EAB26C6C1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:19.614{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49952-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:23.146{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF43D3490A31FDB974D830A0CD73D27E,SHA256=1B7F04430EB874415E15B68A076F71BFAF63BD4804E72434FBDC8F06EAA7C785,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:23.615{FCCA13C7-3897-63C5-8D05-00000000AF02}67686936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:23.474{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3897-63C5-8D05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:23.474{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:23.474{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:23.474{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3897-63C5-8D05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:23.474{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:23.474{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:23.474{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3897-63C5-8D05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:23.475{FCCA13C7-3897-63C5-8D05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:19.672{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56826-false10.0.1.12-8000- 23542300x800000000000000030534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.972{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=62B44B7E871DC19A5B6E97DB463228C6,SHA256=04ED29ECF71B8BB14AD79B7E8E8E7CB80F7D8ED2B081AD7A58727CAE1AA63F57,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.941{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.941{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4436542C27CDAB81CD7BEF150751736F,SHA256=69E7EA4DD4CF9430C487434CD58E65231E7AF0A3E5E45DB85FEE156A02FE6923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:24.244{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC015EF704A400661F1BDEF1C4A4F97B,SHA256=186A98BFF2C80ADF6FC444E3E59221F15F0AA41C009EA68500119949273F8382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.816{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3898-63C5-8F05-00000000AF02}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.816{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.816{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.816{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.816{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.816{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3898-63C5-8F05-00000000AF02}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.816{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3898-63C5-8F05-00000000AF02}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.817{FCCA13C7-3898-63C5-8F05-00000000AF02}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.742{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.741{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.734{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.732{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.729{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.724{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 11241100x800000000000000030517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.508{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 11:10:32.859 23542300x800000000000000030516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.508{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8FB49CFFB16A686711C9AB00B84C0E9E,SHA256=A640A26D59E092851BF7A9967ED3CEC363D33732262FEA89A927CD4F7039BDF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.158{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3898-63C5-8E05-00000000AF02}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.158{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.158{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.158{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.158{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.158{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3898-63C5-8E05-00000000AF02}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.158{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3898-63C5-8E05-00000000AF02}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:24.159{FCCA13C7-3898-63C5-8E05-00000000AF02}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:25.351{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99DC074A7FBE0A2E755F7B740D3B045C,SHA256=CF1D75469E3013001D17F351107C4ABBF312F2287D935ACEFB8FE731E818477C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.715{FCCA13C7-3899-63C5-9005-00000000AF02}35523116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.484{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3899-63C5-9005-00000000AF02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.482{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.482{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.482{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.482{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.482{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3899-63C5-9005-00000000AF02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.481{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3899-63C5-9005-00000000AF02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.481{FCCA13C7-3899-63C5-9005-00000000AF02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.373{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.373{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.372{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.371{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.370{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.345{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.323{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.293{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.285{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.275{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.271{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.270{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.266{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.264{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.263{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.259{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.257{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.256{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.255{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.254{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000030535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.252{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000013246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:26.435{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608920595A35E9E9F73A182C958014DF,SHA256=0C59E502D17AB953D88C25B706F7CE520F1C943A797D7480DCB2F365B5C294EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.666{FCCA13C7-389A-63C5-9105-00000000AF02}26525176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.518{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-389A-63C5-9105-00000000AF02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.515{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-389A-63C5-9105-00000000AF02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.515{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-389A-63C5-9105-00000000AF02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.386{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-389A-63C5-9105-00000000AF02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.386{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.386{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.386{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.386{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.386{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-389A-63C5-9105-00000000AF02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.386{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-389A-63C5-9105-00000000AF02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.387{FCCA13C7-389A-63C5-9105-00000000AF02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000030567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.079{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:26.079{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD3976001158ADA86752A728893B859,SHA256=9A8B2F0DEFA104DED5D82038AE58DE9E5F373AF258BCFD6EECBF5CA6F22A2A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:27.532{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A870B32CA089A4FD5D2C2E851BBC008,SHA256=6ED932FB458F583525B6323D5F0EB7ADA729ADDA732B672007B3EB002633A011,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:27.226{FCCA13C7-389B-63C5-9205-00000000AF02}60643808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000030589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:27.132{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:27.132{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F451E05CCAC86E98BC82A2BC65921DC8,SHA256=9458C18941ED8D29A003547585DAED7374FD52E07762EE2EF68DDA9DAB82718E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:27.058{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-389B-63C5-9205-00000000AF02}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:27.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:27.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:27.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:27.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:27.058{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-389B-63C5-9205-00000000AF02}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:27.058{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-389B-63C5-9205-00000000AF02}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:27.059{FCCA13C7-389B-63C5-9205-00000000AF02}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000013250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:25.579{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49953-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:28.622{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650205DFAA845B8FF3641066EC87601E,SHA256=B5DF765752D9DB7AF921A88DFF728A2D8946E71B59C86E9A420B1180BFBDC3F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:28.211{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:28.211{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7517397134E5B232C6343E07C38F85,SHA256=00D8E1699418E3FAE1DD45C4FA9C00320E50115CE7840B13F3C7B42948B30276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:28.157{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=88346BCE76D319C1A072F6299D9A44EF,SHA256=A8C4B04D3FE4E1BF8A0CF72B26AD872F254BA1C98D798C0729AB7F0C114B0BFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:29.968{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:29.960{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:29.951{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:29.944{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:29.936{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:29.926{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:29.923{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000013251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:29.712{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C2C29DA3C807C4F9136BA0AB299306,SHA256=9FC92F66BF54C40E97FA277E1E751EE7E5A558C1B10C957E6365638AE85618B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:25.689{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56827-false10.0.1.12-8000- 11241100x800000000000000030602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.276{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.276{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C036DB5572198DAECC6A85238973209D,SHA256=3D16AAF4A920C2DDA6AA483B5E6B0F1DE0FF417F7E5C735CBE3336A25ACF0178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.088{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-389D-63C5-9305-00000000AF02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.088{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.088{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.088{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.088{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.088{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-389D-63C5-9305-00000000AF02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.088{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-389D-63C5-9305-00000000AF02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.089{FCCA13C7-389D-63C5-9305-00000000AF02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.954{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B99B82014BEEA83C67A009AE81C868B,SHA256=3755B677846DC37C7F9A17129AF113F13F8DB705A720AD8DEDD86888B651A2F1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:30.832{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertLastSyncTimeBinary Data 11241100x800000000000000030605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:30.362{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:30.362{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229FEE6FE83B7C917E3304FB55A6ADA8,SHA256=CCC6B207068B98BD82D7DA06CDAF6D4663E0DCAE3D433E7A9CE1FFB115CF4B08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.093{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.091{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.088{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.087{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.084{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.082{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.081{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.080{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.080{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.078{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.077{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.076{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.073{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.067{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.065{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.061{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.055{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.044{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.042{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.035{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.030{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.021{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.008{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:30.000{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 11241100x800000000000000030608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:31.452{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:31.452{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6315BD32E4D15B99CDBB574EB2E0C8C8,SHA256=3C3233E191A2257BC838D08F085C5C30D313A93E2B8F681B2F97A14C07ACAF4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:32.530{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:32.530{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F964042A360C09CAD96126496EF5EFFF,SHA256=3A7A4D2D8110F6039E22BDA3C4C90A67A2860CFAA519E880409542792983239C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:32.098{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2DB7A4A120A4A542BD145A0D30F6AB,SHA256=5CF999B7446553E1C31E601ADC771A7CFEBD73EE9BD1D825FBBCB75D9FA7F089,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.300{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56828-false72.21.81.240-80http 354300x800000000000000030609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:29.286{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local62849- 11241100x800000000000000030614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:33.624{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:33.624{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78AACBAD43FE39C143EDFAA6AFE697E,SHA256=10312D0331BBADB2ABFA02236BAE7D9D3286C180DC5BBF9ACF6CC0EB2DFA0486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:33.188{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49F92033AC20353F49A695BF4A61218,SHA256=BCE622D816EB3F9754B02D3E15C27683425B1F2B83C9A01E7A2789B09E06BD6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:34.697{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:34.697{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B69857F80C052EB918A13F8D1882EED,SHA256=18ABB0DFB67CDB682497788DB934D4D3259B0C123ECA6692F167BB3C3223C26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:34.288{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC96257A9BD8FF861CDF621EAD3F667,SHA256=4EAE053B82587FB58B42AA0F4B7EB02EB4C2D630233D210A9D73F4F52E7BCB5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:30.630{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local57557- 11241100x800000000000000030620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:35.785{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:35.785{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08102476CB6D23B96449F6D1DB7A8177,SHA256=04F0BE72F663DDBEBE920C5D61B582396F0723602B6DE71332A5D53E15DC8696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:35.390{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1F7FD85736F9E1894AB382B72C821C,SHA256=5BF75C8742BFB85532A631BB1ABC96FF6190E390B9E31A528AB28288F09DFDE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:31.547{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49954-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000030618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:31.621{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56829-false10.0.1.12-8000- 11241100x800000000000000030622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:36.866{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:36.866{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B225D58650549A105598F9A6AD3E33C,SHA256=8184405AF2D32B6213D92D932B61613634F5AB5140AC9BDEEDEDD1982F247D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:36.374{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B378B1A4ADF274A0F33FF7C07ED380B1,SHA256=87A51BAFAB6B658F92FBDC7D9A001694F8A770AC2C7F88B604234F90A441B0E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:37.950{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:37.950{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB271BE7227E8D0175F3BD1380FAB64,SHA256=8FAF4DB981DA8BCEF37B8A3F45CFA936BA5669BC4AD9EBC1A1B6BFEC19C71776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:37.452{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F13DA4FF75F4B0D74F2A301D302D9CB,SHA256=3E4C75F27D7942D8A20A6DA1A6A11798FEC464498762C583282096876570B1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:38.523{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F022BD3F4F69FEC67C9DBCE339118F0,SHA256=5143F67362C0C24669C6022B734CE847C57B073D52D24CB701D422DBF6283346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:39.617{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F289FB0E9BA162655217319B7055F5,SHA256=FD779BC7683C3D4C059B5CA3CE2D404CBDD779B75B240FD64FB7C8E05ACA8EBF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:39.046{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:39.046{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AE8510203741A31CA8E2E3600FE2C8,SHA256=540671EA39693DC91A206FF3C669096C3497071035F47F5B7120F46F03E28701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:40.718{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D8169BE657416B87030E869E7DCCC0,SHA256=44AEED8E45B1DC9750BD3F3ECAAB145C7C45CFA9E4F2EC1E33607C4F41134BA5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.913{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000030660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.897{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000030659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.897{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000030658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.882{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.882{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.866{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.866{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.866{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.866{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000030652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.866{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.851{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000030650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.835{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.835{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.835{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.835{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000030641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000030640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000030639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000030638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000030637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000030636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x800000000000000030635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000030634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000030633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x800000000000000030632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000030631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000030630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:40.819{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 354300x800000000000000030629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:37.599{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56830-false10.0.1.12-8000- 11241100x800000000000000030628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:40.133{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:40.133{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752EFD22D8AF1F5841586DBBB729AEC1,SHA256=9727E59686DF94E1B1AC03E70E72DA0EC5746E428DA859963FE24CCAA7A55C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:41.806{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A72BDA78D55760A85E8F05B4DD50A7,SHA256=CB624CCE312D64AF9FABB763C78E4BB3FA186D5A83B98B47962BE36387322821,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:41.239{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:41.239{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B006A1EE504542E621147BE43C41CA,SHA256=E8C5B190ACAA90F8060F0FF88F01100389A5E7D9906350A1D9C864A87AFEBC1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:37.430{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49955-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:42.900{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F067362399AE3502485ABAB1BCB19D9,SHA256=70BE551050FA1EA7AC7C79B38CF51BAC32C0CD06E3F57CC1B23A2BE639A7062C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.721{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.716{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 13241300x800000000000000030719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.343{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000030718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.343{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 10341000x800000000000000030717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.342{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.331{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.325{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.322{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.320{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 13241300x800000000000000030712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.320{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 10341000x800000000000000030711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.318{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 13241300x800000000000000030710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.317{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.317{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x800000000000000030708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.310{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.309{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCECA0D8EFAC9B4EF172B646392E0A15,SHA256=309F8FF98A836EC679C41C800CC3DD90F45349128ED2293618872F4D17F060BB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.292{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 10341000x800000000000000030705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 13241300x800000000000000030704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000030703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.283{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000030702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.282{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 10341000x800000000000000030701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.281{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 13241300x800000000000000030700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.272{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.272{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.271{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000030697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.271{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.271{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.270{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.270{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.270{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.270{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000030688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PIDDWORD (0x00000004) 13241300x800000000000000030687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID{B725F130-47EF-101A-A5F1-02608C9EEBAC} 13241300x800000000000000030686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupViewDWORD (0xffffffff) 13241300x800000000000000030685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfoBinary Data 13241300x800000000000000030684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\SortBinary Data 13241300x800000000000000030683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSizeDWORD (0x00000030) 13241300x800000000000000030682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x800000000000000030681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewModeDWORD (0x00000002) 13241300x800000000000000030680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ModeDWORD (0x00000006) 13241300x800000000000000030679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x800000000000000030678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x800000000000000030677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\RevDWORD (0x00000000) 13241300x800000000000000030676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:42.268{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 10341000x800000000000000030674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.264{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.249{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.244{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.206{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.194{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.158{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.149{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.099{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000013298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:43.988{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF909F5B08B0D72B42F71E5F450FF2C,SHA256=5E1F17652AAEDFB509EC6607AD1044D04F36AFE66587A37F000B13715B2DD982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:43.785{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AB5F524E2AAB77ACCEFF4CFAAA8CDBE5,SHA256=C121A1B52AC3D235AFA74FC8EFB48766F0F83C084A4618B732430577DC84A43F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:43.946{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-16 11:12:42.170 23542300x800000000000000030760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:43.946{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7702014E0AB685D2D7ACDAC2223A801B,SHA256=64B93C6DB4215B75BEC616EF23AE1003ED14B0267ED9EA631D8719194D7B5B81,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:43.798{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:43.798{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0786833048E5ECE8AB365C4897388367,SHA256=BAFD1995618757E1A1935AD9011A7931214EA73F49C50C1F81D619D785B5C9F0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.346{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000030756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.346{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000030755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.346{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\@C:\Windows\System32\acppage.dll,-6003Windows Command Script 13241300x800000000000000030754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.346{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.331{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.331{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.331{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000030750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.300{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000030749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.300{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000030748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000030745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000030740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000030739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000030738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000030737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000030736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000030735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x800000000000000030734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200011) 13241300x800000000000000030733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000030732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x800000000000000030731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000030730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000030729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x800000000000000030728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.284{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.067{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.067{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000030724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.067{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListExBinary Data 13241300x800000000000000030723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.067{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000030722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:43.067{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 10341000x800000000000000030769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:44.758{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:44.756{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:44.752{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:44.750{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:44.748{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:44.743{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 11241100x800000000000000030763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:44.364{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:44.364{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34934CE1F40CEAE98AB6BD1EF6939E47,SHA256=17ADCE7211535764B01F8E174B117E39BA4F4E074439CD3E83AA389CBCCDCE17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:42.568{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49956-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:45.083{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89514CFBDB52F9BF52494664B463E147,SHA256=BCF80127541B9E04EF898AD355F32038226FA8333C15A1D8F893CDD0630FC497,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.478{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.478{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022C22AB75EDCA639CEF25EB75F07E13,SHA256=59F59CBB057101E6AD90A380436D7EB26ECF7F90B1F2BCAE19176088AA318FEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.415{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.415{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.413{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.412{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.411{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.386{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.374{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.357{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.320{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.313{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.300{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.292{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.291{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.288{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.285{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.278{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.277{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.276{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.274{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000030770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:45.272{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 11241100x800000000000000030796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:46.467{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:46.467{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74E2B328AE92B403D2CCC09E89BF3FB,SHA256=48CAB839B35A71C3434D14E44A65622DD5D7319692C1B7B4203801774884E9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:46.170{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E27962CB8B80F9DD41CE893EFF56563,SHA256=541EDC81E0C53D29FA0B93A42404AFB061B987D697B28CFE0C29D2CEF512A1A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:42.609{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56831-false10.0.1.12-8000- 11241100x800000000000000030801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:47.554{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:47.554{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1832C2C63E18BD35BFB2206D2F85628C,SHA256=277431C44FECFF181E0E0E8094F07742C37DC40A7E54969F7EE9C3F5C7BC843B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:47.270{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFB3884581DF97801AADDC19BF0EBCA,SHA256=D53A0A59220BB820A48B1553D7B865C6D9D6BB5DFA2C0B52DAF6B4177D6EDCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:47.058{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-031MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:47.057{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\tmp\respondent-20230116111158-0312023-01-16 11:44:47.056 11241100x800000000000000030797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:47.055{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\tmp\surveyor-20230116111156-0322023-01-16 11:44:47.055 11241100x800000000000000030804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:48.648{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:48.648{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EFD79FF89ED616CE2518CDEFD6ED32,SHA256=ABDFC5CC824AE7AA7A451C4E3E935DDCDBB7F19C0C175D1320462B75E86C0ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:48.363{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CCE1C710AAF9FCD892D600FC54642B,SHA256=AAFF9ADD47A4781392C76A21B766A0C0AF1CF82F24C630508CCE5D28F255508F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:48.060{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:49.908{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEC:\Temp\Downloads_lockbit_opendir.7z2023-01-16 11:44:49.908 11241100x800000000000000030806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:49.744{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:49.744{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E7F0250B60732647699397210C6A33,SHA256=ABBA9CDCAF6E04288A464FF6D177EB9410C46130D646B018EE2256AAAE1D65BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:49.997{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:49.989{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:49.967{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:49.963{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:49.955{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:49.948{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:49.934{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:49.932{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:49.930{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 23542300x800000000000000013304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:49.448{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D300C3297CA68ECC7ADFE16862363DD5,SHA256=CAA9A672FE939DC42FE2087E50326F28858523748448E39B7C7F9CE2D464195E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:50.855{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:50.855{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833DEFB4D5202398B9939EC8ECCE05A4,SHA256=70D53B6DC85653E4F374892863F4C985E21C4CE513DFC820600D511FE0A354D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.648{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB14507A193F4765220B25DBCB087CDA,SHA256=C8CA5E952B12C534A0E09C962EF46AD35C270171692AB81ABB4935D029C6E0F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:47.727{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56832-false10.0.1.12-8000- 10341000x800000000000000013335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.077{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.074{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.073{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.071{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.069{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.066{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.064{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.064{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.063{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.062{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.060{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.059{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.056{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.052{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.049{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.046{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.040{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.024{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.022{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.015{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.010{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 10341000x800000000000000013314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:50.004{312A7A06-3346-63C5-1D00-00000000B002}19963400C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019EC2190) 11241100x800000000000000030819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:51.933{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:51.933{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D932755D6F43728AAEAAAECFB98D26,SHA256=D686264F7ADBAB979137C372F6A3847B335AF636638D18C2BCE617FDF3BB632C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:51.738{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB127E535E2423D91A49638B6FACF825,SHA256=CDFD58198A07C52D94F92EDB9396BF1234B062A690F04E7F8A0F82239EEBB3E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:51.500{FCCA13C7-30ED-63C5-0D00-00000000AF02}9084216C:\Windows\system32\svchost.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000030816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:51.094{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-16 11:44:51.094 13241300x800000000000000030815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:51.023{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:51.023{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000030813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:51.022{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502\VirtualDesktopBinary Data 10341000x800000000000000030812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:51.018{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000030811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:44:50.999{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 10341000x800000000000000013343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:52.923{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:52.923{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:52.922{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:52.905{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000013339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:52.817{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E28EF30B843D517DF303EEBABF350A,SHA256=CA2817C7D46E06D7931308357F28644C68BA309A87E947B7818965F5EF6CB92C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:48.487{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49957-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:53.900{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BCC69D0CEBE46F191EE7EEA1B04710,SHA256=472186C86229F21D61125A1BD744619316F35939BEEFA0418A06FBE5DC1DF82E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:53.005{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:53.005{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124F7AECB13B6AB44B5EA710434AEA95,SHA256=AE295A906C06287C2855D754D94AFECE290AD10F793BCCFA2663EB71C5BFD423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:54.997{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFF751478C08DDA3CEE2B6F00682211,SHA256=839B5F0319196D4664E156C90A6DF7ADC133B95FB232F4B48F57574CB98DB42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:54.345{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1EB0C7F83FAEFD189F18EFCABBFF9F68,SHA256=B1A93973329920C7E869B205C860A87F83F8CC0BD770A04E23877B5E66A1D5C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:54.079{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:54.079{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4667DECB9894055D779D68AE3F1776C,SHA256=573A02060B764A83EACCF4BCB1AC9DA9E75536EF6E854086F4D22A8B696DDA5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:55.156{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:55.156{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EADF031B41EF3158C381D141CE2703,SHA256=F90AE6D41415788C36EAC5450D1F0C4C5BC7542207AC6487C089BE149A7889A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:53.680{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56833-false10.0.1.12-8000- 11241100x800000000000000030828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:56.233{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:56.233{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A68E5AEF9F69E71A2ACDEED94E0D7E,SHA256=01B490FC32F6B33302C95BEE6510F28F357D13F10C5FE82D78CCF22B054B47A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.798{312A7A06-38B8-63C5-B401-00000000B002}30162780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000013377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:53.596{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49958-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.744{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A3F4F8E3CCBC846AB7BD972AB6AE3B00,SHA256=3CE14AFE9BE4A0E7C30893A7797DF38495753517567BCF006CDA9454BA2FE17A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.718{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-38B8-63C5-B401-00000000B002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.717{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-38B8-63C5-B401-00000000B002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.717{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-38B8-63C5-B401-00000000B002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38B8-63C5-B401-00000000B002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-38B8-63C5-B401-00000000B002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.625{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38B8-63C5-B401-00000000B002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.626{312A7A06-38B8-63C5-B401-00000000B002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38B8-63C5-B301-00000000B002}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-38B8-63C5-B301-00000000B002}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.125{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38B8-63C5-B301-00000000B002}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.126{312A7A06-38B8-63C5-B301-00000000B002}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:56.094{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E66360D07C4FB2FCCD8119DEF57AF6C,SHA256=DA03DA20D00DE976E17A5A25770378E986A610B6166CD26FF1C57220C0187AFE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:57.532{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 11:14:07.413 23542300x800000000000000030832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:57.532{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:57.313{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:57.313{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A5CD3A003857126B029FF5B8634352,SHA256=CA9D25A428655ACE26A033241F843CBC13E548026F7B00F86CA5A9EE5AADCF64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38B9-63C5-B501-00000000B002}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-38B9-63C5-B501-00000000B002}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38B9-63C5-B501-00000000B002}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.258{312A7A06-38B9-63C5-B501-00000000B002}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.255{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D3B5910F38F62DFFD7A551B5F92AFC,SHA256=2C723ABFF16032B3EA52BB2A66D879BE0390DA5CA9F319DE6A415D5A6B0105FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:57.176{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79A3BD824D522CA648E8779A3B990306,SHA256=3A1FD37E2F9C39A3AB241F82E75A8DBA0365BFCF840AED380A34D4C813C2069E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:58.406{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:58.406{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812487E9A16E8CDBC03FFC08549618C0,SHA256=F23607A89ADC299F15A82BA4F8A5AFB055F315FD007A96443C50E4A0BA6CD8C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.830{312A7A06-38BA-63C5-B601-00000000B002}29163728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.723{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-38BA-63C5-B601-00000000B002}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.723{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-38BA-63C5-B601-00000000B002}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.723{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-38BA-63C5-B601-00000000B002}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38BA-63C5-B601-00000000B002}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-38BA-63C5-B601-00000000B002}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38BA-63C5-B601-00000000B002}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.667{312A7A06-38BA-63C5-B601-00000000B002}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.385{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0E4E28B49C0ACC22164B08013669F7EF,SHA256=E8122B06B72C4F80BBBC511068DE274ECD060C1D5CA57D81EDA94552D005485D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:58.276{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDAAF2CABABE56FB917026C1058273E,SHA256=A08B0D1C8680B82FC71D7AA6A28192C506AED5747FE5BE13FBB1AEF6B755CA97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:55.993{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56834-false10.0.1.12-8089- 11241100x800000000000000030837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:59.531{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:59.531{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A9C226B697E6CF8DE9E6C0EBF6D2AC,SHA256=896D895B63534CA8FFFF3D647A53BD69F1BC64F33DC63C951BA8901A121C35DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.727{312A7A06-38BB-63C5-B701-00000000B002}4012652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38BB-63C5-B701-00000000B002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-38BB-63C5-B701-00000000B002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.555{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38BB-63C5-B701-00000000B002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.557{312A7A06-38BB-63C5-B701-00000000B002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.368{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193D4D72364011564441B636C4A1D326,SHA256=5483DFD8736BEF84193DA3EDC1B5844B869146A5B2D9459B8B409626AFC78A6C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:00.624{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:00.624{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080AEE72BB6B55B2AB19B94766B069A0,SHA256=5B04DD8EB48A43A041871C67C5D65DE7DC8DB49EB3E95F4FD569E41D6DF3AE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.490{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7DE2AF4892BA78AED5283B9AD33810,SHA256=C3F96E463B567EC22754A1AAEF198B37836C86549980796E4DA2127177EEEC00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.381{312A7A06-38BC-63C5-B801-00000000B002}34523024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38BC-63C5-B801-00000000B002}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-38BC-63C5-B801-00000000B002}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38BC-63C5-B801-00000000B002}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:00.219{312A7A06-38BC-63C5-B801-00000000B002}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000030842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:01.715{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:01.715{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCE82FC09B6493B7523A84B0819CBFB,SHA256=7F2519872720B8268396F3C6AB6099D1FCA0EA29B49233D2A9D738097F1A8D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.453{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FC49155EB54A8355DB5C8F82E4B75D,SHA256=F8A3C9EA46636990C0B051CDFB31F159115235128F51F16924A5F8A6B0CD506C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.363{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38BD-63C5-B901-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.361{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.361{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.361{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.361{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.361{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.361{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.361{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.361{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.360{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.360{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-38BD-63C5-B901-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.359{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38BD-63C5-B901-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:01.360{312A7A06-38BD-63C5-B901-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.879{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.873{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 354300x800000000000000030864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:44:59.571{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56835-false10.0.1.12-8000- 11241100x800000000000000030863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.760{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.760{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFC9123009942DDA4E40E549F6B55E9,SHA256=2CE06E38F38E9C8036F329C28960D71B7056956F0A53F7E5A5356D59A5AAF13A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:44:59.483{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49959-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:02.557{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81702D0C49AAF1D4F67B642BB140E5F5,SHA256=BC2268F3977D8D420D23046C6CDB56BE1A7F03FD30678944FE044C59992E987B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.460{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.440{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.429{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.421{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.417{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.413{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.365{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.356{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.330{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.320{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.311{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.251{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.239{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.230{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.220{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.194{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.127{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000030843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:02.122{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000013457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:02.432{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A9E325AC82E77F4C46DD6EE9E88CD01,SHA256=8671F3447EC7A0B568DC4DA462E645BCD3229A7DC406EA162A8F7C82ABB8A085,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:03.839{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:03.839{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF76D7C7EB6B2C391AA1687344255A6D,SHA256=EBC03FEB465B7456DC536BDEA804EC3F5EBC0EBF0CB417F5597463C0448C5EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:03.656{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4686A1A30976B31510381895775F0D7,SHA256=377E50A0679298F1EF87A4A22B17CAFC6BAAFEF5DBADA6C7C9DF4AA7B57F916B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.940{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.939{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.935{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.932{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.930{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 11241100x800000000000000030875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.928{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.928{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530C15AFD53C5F20A1DD92712DBBEB6A,SHA256=DCD6EAB8FA8553180F5B20858E8ED790D79E20217AF7F93D61E1BE609730A9E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.925{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 23542300x800000000000000013461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:04.750{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8751C5EA0CB81BF96BDB0E430D5640E2,SHA256=03B1D89B9B72738E3EC2B4121F75ADC0EFC64D85BB33E0DDE252518354577A9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.517{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.517{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.517{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:04.504{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000013462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:05.846{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E778497FDBEDE474A370BAE4086BC17,SHA256=1CC4F5D76FF003C471EC265425C93A1A2B281761DEEE091791065EF3E5E16A1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.583{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.583{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.581{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.580{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.579{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.550{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.541{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.525{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.494{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.487{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.478{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.473{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.472{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.468{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.466{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.465{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.462{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.459{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.458{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.458{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.457{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000030886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.455{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 13241300x800000000000000030885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:05.423{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502\VirtualDesktopBinary Data 13241300x800000000000000030884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:05.376{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 12241200x800000000000000030883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:45:05.376{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502 13241300x800000000000000030882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:05.360{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:05.360{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000013463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:06.948{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5CC4D1FED6A187B1DAA49A1C1FCD60,SHA256=BDC2B84A91B0C233F3B6EB8D7624AB70093FF286EA204A674C023F430BCD5B33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:06.500{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:06.500{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC5B42004DE236788041B5D777819CD,SHA256=594778AE4B23ACD4B16430A24CEB7BCDCE1937DFA31A4A5B5E6E388B93DDBCC3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.633{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.617{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.617{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.617{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.617{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 11241100x800000000000000030919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:07.617{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:07.617{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3029C89AC6F212333C03ADF7D2FFAEBE,SHA256=AB54F06041087F8181A6C92627B894FFBBB80B554B5629A5298C9F42A77AED00,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.602{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.602{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.602{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.602{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.602{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.602{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.602{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000030910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:07.602{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 11241100x800000000000000030926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:08.711{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:08.711{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9528C5B3BBEFE799C0D0EDA53D988DE,SHA256=DFA6EB9798D592EA40E6728B979755F6E6E5BD4886A9B648E29036198D22B950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:08.035{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46C1DE58A3C78C8A644CF1DA6ABAE5C,SHA256=208C25AB7D52662F800FD4CF10B784A38ED96E09D430C9657E986A8E98726368,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:04.587{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49960-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000030931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:09.795{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:09.795{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA13B0C4AA6B7A69ECDDDA24A7F3CEF,SHA256=3A868B4C4D96E0572727F4C06373BE95A83245B379F0A70513AF1B871C238759,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:09.980{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:09.974{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:09.967{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:09.960{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:09.950{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:09.938{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:09.932{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 23542300x800000000000000013466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:09.137{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C3406B94D3B92F947600005583DF57,SHA256=EE2ED1E0DBE9051FA27127D032D932F79B9468C95786CB7FEF8703E6E4C8929B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:09.141{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 11:10:32.859 23542300x800000000000000030928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:09.141{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=445C824E62D145BC87F04FF8D6A5AF65,SHA256=D362DFD83E7C4DBAD614712B25A99CA79DB867048EC57DDCA1A531AB7F09ADE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:05.508{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56836-false10.0.1.12-8000- 23542300x800000000000000013498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.444{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015100626D53F2A7FC5686CD779194FD,SHA256=6149C9FBDE15FC63FB461E259889B9C1AB4E3FD5FCB089693E80B10B07AF008F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.411{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000030963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:10.396{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:10.396{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000030961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.396{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.396{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.396{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000030958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:10.380{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A053C\VirtualDesktopBinary Data 10341000x800000000000000030957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.380{FCCA13C7-3387-63C5-9D01-00000000AF02}12843792C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.380{FCCA13C7-3387-63C5-9D01-00000000AF02}12843792C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.380{FCCA13C7-3387-63C5-9D01-00000000AF02}12843792C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.380{FCCA13C7-3387-63C5-9D01-00000000AF02}12843792C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.380{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000030952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:10.380{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 10341000x800000000000000030951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.380{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.365{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.365{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.365{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.365{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000030946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.349{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads2023-01-16 11:45:10.349 13241300x800000000000000030945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:10.349{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000009053C\VirtualDesktopBinary Data 10341000x800000000000000030944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.333{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.333{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.318{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.318{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.318{FCCA13C7-30EE-63C5-1600-00000000AF02}12921680C:\Windows\system32\svchost.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.318{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.302{FCCA13C7-3383-63C5-8701-00000000AF02}33725032C:\Windows\system32\csrss.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.302{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.302{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.302{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.302{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.302{FCCA13C7-3387-63C5-9D01-00000000AF02}12844284C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x800000000000000030932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.295{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap15098:76:7zEvent27097C:\Windows\system32\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 10341000x800000000000000013497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.107{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.105{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.103{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.102{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.099{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.097{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.096{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.095{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.094{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.092{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.090{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.089{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.086{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.080{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.078{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.073{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.063{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.047{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.045{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.037{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.031{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.025{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.016{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.010{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 23542300x800000000000000013499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:11.545{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C16AF92834BD58E1A02EAF1FC8B95B9,SHA256=59D902C8C3C9DD107E4FD5C25883BB7E061A80974E469C3A6FC2D4ED231E7BF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:11.149{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:11.149{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:11.148{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:11.126{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:11.126{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000030967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:11.126{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 11241100x800000000000000030966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:11.096{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:11.096{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED738BEFD8DC7D10733BD46AF573F29,SHA256=98C7CAEF27CEA8459A0CACD2962CF47564BFBD8AD089272CBAEC276DF21705B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:12.641{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6D9108D275076E5554A3D0550937F0,SHA256=507FD04A626675AC11E5771A3DD8C96856AAB9FC03D8E20E243322A61A98DDB8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000030979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:12.961{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 11:11:01.844 23542300x800000000000000030978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:12.961{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15B64C2C700F5EA87C5B9BF5B3F46685,SHA256=7BB5D58FEA522BCD01ACF7ED7FEDDC5D1829C6BADEBA61D563504B6DB692E187,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:12.359{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000030976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:12.359{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000030975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:12.359{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 11241100x800000000000000030974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:12.202{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:12.202{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C293B608A8540E1AEB8B800AA5B9D796,SHA256=99FBF57114AD0D0781C0AFEAFB9A371A30E596F3EBA8A320B335072BDFC6D451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:13.743{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C18F9D7165E1EF61F2C122B316CDA3B,SHA256=5743A3FAE59E82C4D5043917D8E587DB61D3D1B02B58BCE03AB7BB7E09C6ABB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.620{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56838-false10.0.1.12-8000- 13241300x800000000000000031038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:13.579{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A053C\VirtualDesktopBinary Data 13241300x800000000000000031037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:13.532{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 12241200x800000000000000031036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:45:13.532{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A053C 13241300x800000000000000031035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:13.516{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:13.516{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\7-Mvc\7mT.rkrBinary Data 11241100x800000000000000031033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.500{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\VerifyIdentity.exe2023-01-16 11:45:13.500 11241100x800000000000000031032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.500{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\svchosts.exe2023-01-16 11:45:13.500 11241100x800000000000000031031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.500{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\svchost.exe2023-01-16 11:45:13.500 11241100x800000000000000031030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.500{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\PowerPoint3to4.exe2023-01-16 11:45:13.500 11241100x800000000000000031029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.485{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\passwordstorageFix.exe2023-01-16 11:45:13.485 11241100x800000000000000031028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.485{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LB3_Rundll32.dll2023-01-16 11:45:13.485 11241100x800000000000000031027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.485{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LB3.exe2023-01-16 11:45:13.485 11241100x800000000000000031026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.469{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\googleDriveDesktopAlbum14.exe2023-01-16 11:45:13.469 11241100x800000000000000031025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.469{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\ConfirmEmail.exe2023-01-16 11:45:13.469 11241100x800000000000000031024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.469{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.exe2023-01-16 11:45:13.469 11241100x800000000000000031023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.469{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.dll2023-01-16 11:45:13.454 11241100x800000000000000031022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.454{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.exe2023-01-16 11:45:13.454 11241100x800000000000000031021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.454{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.dll2023-01-16 11:45:13.454 11241100x800000000000000031020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.454{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-svc-x86.exe2023-01-16 11:45:13.454 11241100x800000000000000031019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.454{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-svc-x64.exe2023-01-16 11:45:13.454 13241300x800000000000000031018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:13.422{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:13.422{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\7-Mvc\7mT.rkrBinary Data 11241100x800000000000000031016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.329{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\WoundedGryphon.sh2023-01-16 11:45:13.329 11241100x800000000000000031015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.329{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteKey2023-01-16 11:45:13.329 11241100x800000000000000031014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.329{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteDecipher.sh2023-01-16 11:45:13.329 11241100x800000000000000031013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteCipher2023-01-16 11:45:13.313 11241100x800000000000000031012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\VerifyIdentity.zip2023-01-16 11:45:13.313 11241100x800000000000000031011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\READ_THIS.txt2023-01-16 11:45:13.313 11241100x800000000000000031010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\README.md2023-01-16 11:45:13.313 11241100x800000000000000031009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\RDP_MSP_INSTALL_SCRIPTS-AWESOME.txt2023-01-16 11:45:13.313 11241100x800000000000000031008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\ransom.html2023-01-16 11:45:13.313 11241100x800000000000000031007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\PlayServicesUpdate.apk2023-01-16 11:45:13.313 11241100x800000000000000031006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\output.pdf2023-01-16 11:45:13.313 11241100x800000000000000031005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\output.html2023-01-16 11:45:13.313 11241100x800000000000000031004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LICENSE-WhiteBox.txt2023-01-16 11:45:13.313 11241100x800000000000000031003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\hoax.txt2023-01-16 11:45:13.313 11241100x800000000000000031002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\desktop.ini2023-01-16 11:45:13.313 11241100x800000000000000031001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\decipher.sh2023-01-16 11:45:13.313 11241100x800000000000000031000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\cipher.sh2023-01-16 11:45:13.313 11241100x800000000000000030999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\bg.jpg2023-01-16 11:45:13.313 11241100x800000000000000030998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\anubis.sh2023-01-16 11:45:13.313 11241100x800000000000000030997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.py2023-01-16 11:45:13.313 11241100x800000000000000030996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.313{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.ps12023-01-16 11:45:13.313 11241100x800000000000000030995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.297{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.py2023-01-16 11:45:13.297 11241100x800000000000000030994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.297{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.ps12023-01-16 11:45:13.297 11241100x800000000000000030993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.297{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-thread-x86.bin2023-01-16 11:45:13.297 11241100x800000000000000030992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.297{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-thread-x64.bin2023-01-16 11:45:13.297 11241100x800000000000000030991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.297{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-process-x86.bin2023-01-16 11:45:13.297 11241100x800000000000000030990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.297{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-process-x64.bin2023-01-16 11:45:13.297 11241100x800000000000000030989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.297{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000030988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.297{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A648BED0F86B5AB33B2BD8F993BAF9D1,SHA256=B19BCF84AC651A08478FC3EC2ECC63BCCC8C6CC1462240ADCD462E5E49592941,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:13.205{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000010668\VirtualDesktopBinary Data 354300x800000000000000030986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.323{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56837-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000030985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:10.323{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56837-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 13241300x800000000000000030984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:13.146{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:13.146{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\7-Mvc\7mT.rkrBinary Data 10341000x800000000000000030982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.146{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.146{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:13.146{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-38C6-63C5-9405-00000000AF02}6296C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000013503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:14.834{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3BBA1AFA9E1B95D4C1ECA1577CF88D,SHA256=BA2308F2B206609301283D5C2929973BDF6E62B222FFE92C5C2A118B4D131426,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:14.535{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:14.535{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D026D5760926B0700F2205AB505090E8,SHA256=8B773E57692A38C8392C23A741E3E48AB4BE91CB0BA0DD658DDD8504266EE102,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:14.252{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 11:10:32.859 23542300x800000000000000031040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:14.252{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F772A59A615511ADFEEA0E5D25FC7D4F,SHA256=3745AF5F5FDD3E79CE2C00872B0DD508D538E87890BD84E3B9E7A445181D5590,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:10.500{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49961-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:15.935{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEC934129CB8F766CEC148BF98D3BF1,SHA256=209FC454CAA69948C48ACFC8C8BE17D12F7962109AE90942E8406E6699DE0D23,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:15.313{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:15.313{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41648C656B4336E4F1030304CEA2D72B,SHA256=C66715F4DAA0C94F89D9EBD04F4A0A195155480DEF8B02E9199D0148A424E2F5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:16.558{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:16.558{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000031053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:16.558{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000020640\VirtualDesktopBinary Data 10341000x800000000000000031052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:16.558{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000031051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:16.558{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:16.558{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000031049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:16.512{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 10341000x800000000000000031048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:16.512{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000031047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:16.387{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:16.387{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64E0625000C3EED010D8D9415AE9229,SHA256=071755D2F5DFA6CB545904F97C3C1A09B145ED20BCE11D56A84694F743E39E67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:17.471{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:17.471{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1784DC87508E1C1E101E76DE72B363FA,SHA256=868DB1888C07E87B49641EE9A9C8A3F46EBF35A1481E5E33251E6D080E5C6631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:17.030{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D207E6A97E29A4804AE2A1B4C8FC113,SHA256=B7192F28EF4394144974F6B9C0E47F8C4300DA0DCF8B42085B44933B58447BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:17.133{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads_lockbit_opendir.7zMD5=4CAAB749780365D44DFCB27299120ABB,SHA256=380343C599FB4A897FCCFA12EABBEBA47A1396B5DB682CB07F5B71352478D89C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:17.133{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000020640\VirtualDesktopBinary Data 13241300x800000000000000031059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:17.086{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 12241200x800000000000000031058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:45:17.086{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000020640 13241300x800000000000000031057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:17.071{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:17.071{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000013507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:18.863{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:18.137{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA334A1E8911F794864D0BAD8CFB34E,SHA256=39C62E8383AB5C20F5C5BF9AD2A71BEB077EB6435853C875020C6E66AE6389D0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.311{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000031114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.296{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000031113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.296{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000031112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.296{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000031111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.296{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000031110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.296{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000031109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.296{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000031108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.296{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\SniffedFolderTypeDocuments 13241300x800000000000000031107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.296{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\SniffedFolderTypeDocuments 13241300x800000000000000031106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.264{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000031105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.264{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.264{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000031103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.249{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000031102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.233{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x800000000000000031101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:45:18.233{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\Roaming\OpenWith\FileExts\.pdf\UserChoice 12241200x800000000000000031100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:45:18.233{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice 13241300x800000000000000031099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.233{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000031098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.233{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000031097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\SniffedFolderTypeGeneric 13241300x800000000000000031096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000031095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000031094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000031093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000031092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000031091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000031090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000031089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000031088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000031087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000031086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x800000000000000031085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000031084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000031083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x800000000000000031082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000031081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000031080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x800000000000000031079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000031078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.218{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000031077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.202{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000031076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.202{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000031075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 13241300x800000000000000031074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0\MRUListExBinary Data 13241300x800000000000000031073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0\NodeSlotDWORD (0x00000018) 13241300x800000000000000031072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000031071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\MRUListExBinary Data 13241300x800000000000000031070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0Binary Data 13241300x800000000000000031069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000031068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000031067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000031066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000031065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000031064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:18.066{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 354300x800000000000000013509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:16.448{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49962-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:19.225{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC82BC0FD7A66694D116D120A68442D3,SHA256=652251F340676CEC35DA55BA84A2A840E87D90D2FF367C0773F3952F0E8D6454,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:19.046{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:19.045{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866CEF01476835DB9E72B8E1B1F77E39,SHA256=88262A8A1598CF976C573C98DE0A44212AB0CB942484D79D98EE269A542FD97D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:17.221{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49963-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000013511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:20.299{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C60F52203E6A2F4977EFB6D21BC1EDD,SHA256=60AE2B86E5284A8302312500CF422519C896A4618544F53B8947A646DC7C21BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:16.527{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56839-false10.0.1.12-8000- 11241100x800000000000000031119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:20.090{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:20.090{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F6C2C89879C036CE016606408968B3,SHA256=EAC62A0E9C229EAC95F53227B0C97D0C7529A8E894D67473477A5892387AFC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:20.190{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-022MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:21.396{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F3DFF1DF742007CE9539C9847A741C,SHA256=A50E529B44CF9C7CA5E565CB4FF3BCE46CB8B38B06C4F5ED15D14DF145649676,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:21.182{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:21.182{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65065CA95C5C20935BEA63E58E852C1A,SHA256=62B349B1BA8DA7AA875D65B87D14C6CA5E9D99E44925482AC438397703914E33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:21.104{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-16 11:45:21.104 23542300x800000000000000013513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:21.194{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:22.484{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AB61FC187588733D30F30F18E6CDC5,SHA256=44F91AC61120160021BE4FA52C2AE2F8F010E396CDB18D4FF12FC225A63F1C6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.664{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.661{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.331{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.319{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.310{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.305{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.302{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.300{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.263{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.258{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.242{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.235{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.230{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.201{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.194{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.185{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.166{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.159{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 11241100x800000000000000031127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.147{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.146{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED41E10DE6D2FD2B175E30BAFCAFC45F,SHA256=371068CB79329451EF84BC1E683D41E00BCD178F9EE371D30C8D4D238BB8471C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.102{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:22.100{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000013516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:23.563{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D5FC268779EAF4D0D788C7B17C0DF7,SHA256=1D092F637C89FE9EB0535C8E745373643B92C3CD901DFA5ABD9A4B2F93938E30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:23.626{FCCA13C7-38D3-63C5-9505-00000000AF02}57324748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:23.454{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-38D3-63C5-9505-00000000AF02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:23.454{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:23.454{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:23.454{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:23.454{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:23.454{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-38D3-63C5-9505-00000000AF02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:23.454{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-38D3-63C5-9505-00000000AF02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:23.456{FCCA13C7-38D3-63C5-9505-00000000AF02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000031148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:23.191{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:23.191{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7DEEC418A59A72D6AECB5B02EFFDC4,SHA256=0A4FDDE639F3BD1FD2BBB10C8E7FB531E54D065DE4D9AA55E31916FFFA0F1B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:24.651{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3B28D1EA257CDECDE32A9AD29DEE0D,SHA256=7838C10E08E1C84E178720F78E45485EC37869AEC42E9DCE67FFE02B4663422F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.804{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-38D4-63C5-9705-00000000AF02}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.804{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.804{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.804{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.804{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.804{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-38D4-63C5-9705-00000000AF02}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.804{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-38D4-63C5-9705-00000000AF02}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.805{FCCA13C7-38D4-63C5-9705-00000000AF02}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.701{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.701{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.698{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.696{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.694{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.689{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 13241300x800000000000000031191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.627{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000031190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.627{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000031189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.611{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000031188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.611{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.611{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000031186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.595{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000031185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.595{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000031184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000031183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000031182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000031181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000031180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000031179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000031178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000031177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x800000000000000031176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000031175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000031174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x800000000000000031173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000031172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000031171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x800000000000000031170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000031169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:24.580{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 23542300x800000000000000031168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.537{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5FC4415AF8111CBD15B18712CF2E9461,SHA256=A56E4985182531F59C3BFBC2356D26124DBF53C7743F24921BD84D27C0A56548,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.290{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.290{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D345E62831B083410DDD54F4D457D497,SHA256=E55174FD90D853A0934DDA148EA131C0B9193ADBE96B1647F883EE57860C6C37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.121{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-38D4-63C5-9605-00000000AF02}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.121{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.121{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.121{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.121{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.121{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-38D4-63C5-9605-00000000AF02}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.121{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-38D4-63C5-9605-00000000AF02}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:24.122{FCCA13C7-38D4-63C5-9605-00000000AF02}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:25.753{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDFCACA6F125E9FF4DBB012FA6703DD,SHA256=1DDC382892878353A5DA448DD203253D1D74C13FA90C151C8981797E18CD7A3E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.774{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.774{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E83C5BB314228EACEE6F0B81A909B5D,SHA256=B9F6C27193520F5199F624614F9CB28F7FA4F6C60F59F4B6CCE31A1282A7B5B2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:25.712{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:25.712{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x800000000000000031240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.712{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 11:10:32.859 23542300x800000000000000031239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.712{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6F88595F891A21D1DD58D3376FD7BA13,SHA256=EB82527D2393B9C1127EBE1445E6B40E258AD8DA51768C60FCE11ECC94394CD5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.681{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEC:\Temp\ConfirmEmail.exe2023-01-16 11:45:25.681 10341000x800000000000000031237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.666{FCCA13C7-38D5-63C5-9805-00000000AF02}57164424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.482{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-38D5-63C5-9805-00000000AF02}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.482{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.482{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.482{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.482{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.482{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-38D5-63C5-9805-00000000AF02}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.482{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-38D5-63C5-9805-00000000AF02}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.483{FCCA13C7-38D5-63C5-9805-00000000AF02}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.340{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.340{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.337{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.336{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.296{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 13241300x800000000000000013519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:45:25.628{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d929a0-0x05ffa2bd) 354300x800000000000000013518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:21.624{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49964-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000031222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.289{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.274{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 354300x800000000000000031220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:21.649{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56840-false10.0.1.12-8000- 10341000x800000000000000031219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.239{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.230{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.226{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.224{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.222{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.220{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.219{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.215{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.213{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.212{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.211{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.210{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000031206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:25.208{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000013521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:26.836{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F9E68A82582758C4F681D3B7DC96AC,SHA256=8A35F6B1A0ADFCDCCDCD75F35BB212965BC7A02DA07B3013D653CC90BAE49DE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.950{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-38D6-63C5-9A05-00000000AF02}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.950{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.950{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.950{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.950{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.950{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-38D6-63C5-9A05-00000000AF02}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.950{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-38D6-63C5-9A05-00000000AF02}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.951{FCCA13C7-38D6-63C5-9A05-00000000AF02}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.444{FCCA13C7-38D6-63C5-9905-00000000AF02}63886156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.441{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38D6-63C5-9905-00000000AF02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000031259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.441{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38D6-63C5-9905-00000000AF02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000031258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.441{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38D6-63C5-9905-00000000AF02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000031257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.440{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38D6-63C5-9905-00000000AF02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000031256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.440{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38D6-63C5-9905-00000000AF02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000031255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.440{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-38D6-63C5-9905-00000000AF02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 11241100x800000000000000031254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.393{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.393{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9E4BEF5070AD35982F2956CB500AD7,SHA256=4A1CCD01F6894359CCAF950AE55D7C3918B153F2835609A72241AB94FE70F997,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.284{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-38D6-63C5-9905-00000000AF02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.284{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.284{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.284{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.284{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.284{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-38D6-63C5-9905-00000000AF02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.284{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-38D6-63C5-9905-00000000AF02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:26.285{FCCA13C7-38D6-63C5-9905-00000000AF02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:27.932{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0984042A4FFAA594F21FF04F9DF4DE5E,SHA256=795CD1FA51E02389031D09102941778AB427C9795B2035A6A6DA9DF6A25380C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:27.446{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:27.445{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB4ED58DBB7C1A81A581B1FF849EF88,SHA256=94789BC4B0E1844854D1D39EEC79B5E61C95451E6A54D54239C69FBF6C2DEC62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:27.118{FCCA13C7-38D6-63C5-9A05-00000000AF02}62485864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000031279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:28.553{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000031278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:28.553{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:28.553{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000031276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:28.537{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C062E\VirtualDesktopBinary Data 10341000x800000000000000031275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:28.537{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000031274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:28.526{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:28.526{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE7C8C7F7E9098450B0737F6A37C3BC,SHA256=C696472DFA2877ABE0782C1BEE96D2640AB06269DD681BA0B5C5FB019C4219B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:28.568{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=39791F6301C602A7E88091A28BFA7DA5,SHA256=B902915C2A18C35F6335FBA378120685F6D3187DBECB9536D761F8185EA967B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.690{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.690{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFBEF352D1E4686A5E5DF9446678CCB,SHA256=20C550539CF0CD36E24E1F6596B4AAE50161092EECE33F670E171AA1EB31839F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:29.980{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:29.970{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:29.963{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:29.956{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:29.948{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:29.938{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:29.936{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 23542300x800000000000000013524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:29.022{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8267CA3E682915388525A49235C5960,SHA256=28D7DCF64EBA6C5F7EC810033811ABC146E55B7D22E6BDF85288F8B5A38B0A32,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:29.516{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000031335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:29.516{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 23542300x800000000000000031334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.452{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\WoundedGryphon.shMD5=09ED9713D0AD02CA05A875AEA4A6FF4F,SHA256=228BC051198F43F2B8E36A1C3AC0A7BC3AE23ACBBFB0B880ECA1AD5FB587DB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.451{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\whiteKeyMD5=23291F3843D7E3CE826E6981633F6503,SHA256=4FAD89475ADEC4C4AFFBD65263916179977DD6E10D392F983A7FD67D9AE8A874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.443{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\whiteDecipher.shMD5=026C306DC7DBD2E2E6E99C8888A0770A,SHA256=7520B4CE69D904844BE34F7BB07BCDA49658147562B745CCA8CCCA51C4290FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.442{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\whiteCipherMD5=FEB6F25BC262A5FF98EA825799CE494C,SHA256=74E6B8B94892C9E21F3FD75FA4173FED16D9AA7ED6C8EE90306B118616F07A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.409{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\VerifyIdentity.zipMD5=1AE5E93068A9E333B11E20529979D4A3,SHA256=8035509D003A2CACEA942660D44F3E989F8B316380D5073597FB4270B5CF25C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.394{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\VerifyIdentity.exeMD5=B57CD4DA5AB3566177BD3B9FD8C306E3,SHA256=A063F9267414A21CF829526DC97C852417B0C373D8B411B67AA4202227011F57,IMPHASH=557851F516941D1F8C24A919BDE970CCtruetrue 23542300x800000000000000031328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.362{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\svchosts.exeMD5=63D533FB228E802C9C774EF75FF043FA,SHA256=240AC12F9C13EF1FDFBC77E16978F0423A41A3CC1C3DCB8786BA8E7672811F0B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truetrue 23542300x800000000000000031327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.362{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\svchost.exeMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truetrue 23542300x800000000000000031326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.362{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\READ_THIS.txtMD5=E6E8C8822EC7D0F5FB9B3B75953B785E,SHA256=043D32878D17E4110B97E2106580193B1079C85D570E4625F1D86BA4F035D38C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.362{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\README.mdMD5=8EE661573CCEA2898CB9B7612428D687,SHA256=201C73CF552851913DF1EFDF517F39B8FAB28F01649B2626E7E6DF7A72FA7E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.362{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\RDP_MSP_INSTALL_SCRIPTS-AWESOME.txtMD5=DB0632A1788BF0B4BA4FB381B186E3F0,SHA256=76C7A37AB465BA53FB735C0A6235269F24E76F9DC6BB53C06B091E21211F51A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.362{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\ransom.htmlMD5=67912031E5751A92113F2A00AB83ECA2,SHA256=116D5D8D6580D093E103FAD8EEE4614FE1A3BE6E371F0E6EA22496CFFB4E428D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.362{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\PowerPoint3to4.exeMD5=35560FFF8FC990948A9252BF20CFC8F5,SHA256=3E04FE9F427717CA17142603B46C5264FB42621048719721FFA4926C8E9BB6F1,IMPHASH=41FB8CB2943DF6DE998B35A9D28668E8truetrue 23542300x800000000000000031321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.347{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\PlayServicesUpdate.apkMD5=875773A09F5F4C09CC11E0FB7F1F49B7,SHA256=CB90976C01394BD91125C6764FC8FC19F8B5EF2B1422B641E2B4C68F6C91B984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.347{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\passwordstorageFix.exeMD5=B57CD4DA5AB3566177BD3B9FD8C306E3,SHA256=A063F9267414A21CF829526DC97C852417B0C373D8B411B67AA4202227011F57,IMPHASH=557851F516941D1F8C24A919BDE970CCtruetrue 23542300x800000000000000031319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.315{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\output.pdfMD5=D8D25CD8C77E628ADFAD6D14A41FB5CE,SHA256=4C7652C9DD8C773D6C3FB2FD3FF6374CEE6CC10F3647B3505DC41721ACF164A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.315{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\output.htmlMD5=D8B99D220F319B3D6D5E9EC40637A7FC,SHA256=B42D9D4562F7619D29378CF661784DA46F4AACAEF95F793D56F7BC6F9D2D8B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.315{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\LICENSE-WhiteBox.txtMD5=0DBE649720C003B15B8C288D4E5DC515,SHA256=0E9C1A8B6FD50923CE98941E77F47616F478B3C86BDC2E3F4389F626F55A5812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.315{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\LB3_Rundll32.dllMD5=8420A0F6F0FAC3A16D486123DFCE7C7C,SHA256=4EC749635F2FC719D569C97A868A071F486923F63ED71EECEC9FA0D62278BBCA,IMPHASH=B750C147C0BCC8B349E4F1143AC1432Etruetrue 23542300x800000000000000031315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.300{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\LB3.exeMD5=75256873A03F4A4BC073185F48C1097C,SHA256=068CA3E92C65EB907B5A34BE16580E267EFBBDE6F9129CA30AD80C948A1D3FFD,IMPHASH=41FB8CB2943DF6DE998B35A9D28668E8truetrue 23542300x800000000000000031314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.300{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\hoax.txtMD5=207CC613FB965F238D082DE5DECCA1F7,SHA256=CD47F0C7317A957EB802B7831CA0E6A7D285FE2E7275B656778F95089E97FEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.300{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\googleDriveDesktopAlbum14.exeMD5=B57CD4DA5AB3566177BD3B9FD8C306E3,SHA256=A063F9267414A21CF829526DC97C852417B0C373D8B411B67AA4202227011F57,IMPHASH=557851F516941D1F8C24A919BDE970CCtruetrue 23542300x800000000000000031312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\desktop.iniMD5=3A37312509712D4E12D27240137FF377,SHA256=B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\decipher.shMD5=AEA6CB605937BDADBD034047262E31F4,SHA256=05A626F4372D68783D12578727789F041E0857E07114FE0194B887582C0C3DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\ConfirmEmail.exeMD5=75256873A03F4A4BC073185F48C1097C,SHA256=068CA3E92C65EB907B5A34BE16580E267EFBBDE6F9129CA30AD80C948A1D3FFD,IMPHASH=41FB8CB2943DF6DE998B35A9D28668E8truetrue 23542300x800000000000000031309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.269{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\cipher.shMD5=B8D677801A1CF36DF3067D59C0708DED,SHA256=8B6B5BEB24609C35BBC4E34A9EA23D64BCA4EFF60B9CDD4ECE6502A1C8C6D55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.253{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\bg.jpgMD5=B5A22B24995B1485B7F8DB31E3F4E845,SHA256=857471CFA9010718B8612C5F8DA91B07452A91719667F1FE357255579621C89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.253{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\anubis.shMD5=8EBDBF116B8A8495613508197E877CA4,SHA256=FC1BB578C99F165E3EB8AC116B1ED42C60171EB83644104142C0294D915C856E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.253{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x86.pyMD5=1643CA1938B08BD33F9F1A3B6D01AF80,SHA256=89E93E9C2EF8B6E0B4154D818027D6D850507C62D4A677308EC1F3677EF5D935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.237{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x86.ps1MD5=54C88728BF357AFCC4D8B485C166B54C,SHA256=D8F94DD6D50EB4DD0528F3784883E20EB8499F5188E596DE217039A9DFF61E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.237{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x86.exeMD5=ECDA3174C7B7AC0596670CF184374B87,SHA256=91BD127FE5F8E96E424DC509A6910EDDE262142EEADD6BA9F316CB5BDE12221E,IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9truetrue 23542300x800000000000000031303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.237{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x86.dllMD5=8D72FC6FF9CB0971DF587D20DDA5E8C8,SHA256=0B7D19CF030839C3DF481069772C7A32B5A3BE4C41CE6B436AB69015FA90D98A,IMPHASH=E1DCFFDE169ED8B947DC63ACDB78AECAtruetrue 23542300x800000000000000031302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.237{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x64.pyMD5=5652592338DB9C578311BCD840B61A6F,SHA256=0C011BC812555A6868EDE5F189CB8C7A99C2C0BEAA7548A39A5E0162EF7DE251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.222{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x64.ps1MD5=4EBF3871BA1B7B1B821B211A34B5A7F6,SHA256=A55296309871408165C248CB6E5C88E84DA5682BDDDC5CCE220552660536D93B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.222{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x64.exeMD5=4FCA0701B976C08A3A657A546BC82D7C,SHA256=F2093C8228896204C3403526C88FF3DDB4D9C7369A043EBB0B1A69B44CE63CD2,IMPHASH=17B461A082950FC6332228572138B80Ctruetrue 23542300x800000000000000031299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.206{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x64.dllMD5=43616639411A590F022505998A6F567E,SHA256=6A289F491C8D5D789E31E89C73BA06EF6FC075458A1106B7213B29DA798F6C03,IMPHASH=F73CB1B8999C7E79C50459B8E1F144F0truetrue 23542300x800000000000000031298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.206{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-thread-x86.binMD5=95B4FEB185AF777C1BDD0812619C000C,SHA256=21BD99B20120DF1EFE5E1817403EE0173771643E2C4D91F5F2076787C3581627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.206{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-thread-x64.binMD5=9DC762D3FE1B459AFEE9DD840A4F3D70,SHA256=5B2D046064D85578ABC5E7FF686DB9E20B8008AA72BE99D10370551FE70D51B6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:29.206{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C062E\VirtualDesktopBinary Data 23542300x800000000000000031295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.206{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-svc-x86.exeMD5=8FC088EEC229A693F2D754C67A2E506A,SHA256=DEEB89A16AA2B7B63504602DE422F508C196B8BE3289E57F3B9D74337D585425,IMPHASH=DE77F3139EAF74F1B255AB7BE0B6605Ftruetrue 23542300x800000000000000031294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.190{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-svc-x64.exeMD5=89BE3BE20CA0DCE73C12A5A015BCB9A5,SHA256=37E828DA01820AAD58414D0B73C935A0E408C274CDD872CBBAE25F9CBCBA0B08,IMPHASH=BED5688A4A2B5EA6984115B458755E90truetrue 23542300x800000000000000031293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.190{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-process-x86.binMD5=1123FDAA3AB9C341B986D57BD4B1844A,SHA256=72E686AC4559427CCB0302C638A88997B6A3E8895974C6E4648C27F69BBB0FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.190{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-process-x64.binMD5=5B10B59019C3DEF2540CA16DC1E1E456,SHA256=882EBE5138B2BA20DE111BF637DDFA1672A3C1CA756C8A5F962F11BDDDE10337,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:29.159{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 12241200x800000000000000031290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:45:29.159{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C062E 13241300x800000000000000031289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:29.144{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:29.144{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000031287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.112{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-38D9-63C5-9B05-00000000AF02}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.112{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.112{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.112{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.112{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.112{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-38D9-63C5-9B05-00000000AF02}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.112{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-38D9-63C5-9B05-00000000AF02}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:29.113{FCCA13C7-38D9-63C5-9B05-00000000AF02}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000031343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:30.805{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:30.805{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9685D9B5355190DDC57A4FEE0F3C1098,SHA256=F8D6660AE0CC3E90C7F7691BF57D90B4EEEB79348F8C23CBCF1036540396DC59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.133{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.131{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.129{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.127{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.122{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.120{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.119{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.118{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.117{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 23542300x800000000000000013547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.117{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892A5B3DA386572AD73DF66433EF4728,SHA256=7673CC0326E4D385A1F0B416D9B1923A7B9AEDC347FB03A924D28CCBFC9889CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.112{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.109{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.107{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.104{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.099{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.096{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.091{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.085{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.060{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.058{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.050{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.044{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.035{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000013533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.028{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 13241300x800000000000000031341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:30.482{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:45:30.482{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 354300x800000000000000031339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:27.530{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56841-false10.0.1.12-8000- 10341000x800000000000000013532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:30.016{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 11241100x800000000000000031345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:31.892{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:31.892{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAB6D10E3E7672A0EF16087F38DAB86,SHA256=021E701C6A9FA18F38142F7E88D0CD4A11B82A838DB4DA7B789844AC389D2568,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:27.523{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49965-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:31.089{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D2B8D98829AA4E49A4BFECF4DA61DE,SHA256=77E7AF8F5ACD40C75601D2392B10C8262904B988DE826151E6C1FC7FC7413F69,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:32.960{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:32.960{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1519368FD2685FB38440390E9CF00405,SHA256=393E477307259CA22383BA3E55990C393BD39A1A39F3CF29695AC74EF8D124EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:32.186{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F5FAE21CDEB89FFA394E9A081A15F2,SHA256=2EBF94A5D26A5C581BAA6539D60635009A81AD454CC5B6DCCDEDB2101CB11971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:33.276{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6426B7F595AEA79DDFFC856769382F01,SHA256=868DBC89FBD303723CB3BA85565F5D09590780DBAC9B1119AF6028DF56490A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:34.377{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22ADB8F54DA678F2232E7206E40465DF,SHA256=3E001C2F47B2F0DCC121F207A560EED40186EA2025BC8CEAF2AE19E2FF28FB9C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:34.055{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:34.055{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2CC6C0D97EBDD6C20C2E7E450459A5,SHA256=32D4DE562CE8E657B181B1DD2F7C2987DE9161AAC23029A22EEA86D2DED10CBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:32.626{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49966-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:35.484{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D0FC67B2244125DE4C2E5D85AA8B14,SHA256=98335FA7C070BF2CFEFCC753CC08F8A14AA717B93E74130FBB7DFED5BA117121,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:35.125{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:35.125{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF9D8E5017C60265B3510FDCFE085C2,SHA256=4A54F0B636BF1643B40A7397F155D87DC78373BE51F35FE621EDADF4283512C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:36.575{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF36CEEF320ED39AF29696F525466386,SHA256=CB13341E793887A43FB350E8762CCCBE04F57F36D2B6BFE556AA2595671E9623,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:36.206{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:36.206{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6201D1A7234D12529694F7CEA77948,SHA256=87BA8CA589E6A02CA88004AD32C203CA54455336D73AEBF00F12AFCF6C61CB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:37.664{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E201425D62A4553AC87343772634FD7,SHA256=30C3ABD3270F8687798A73314EFB9E09A97116A5DA35DB83C96AA07E763EFB7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:33.511{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56842-false10.0.1.12-8000- 11241100x800000000000000031355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:37.282{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:37.282{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354EA4FD1E8C69136BB78945B947AA31,SHA256=723817F618070E715099261B86A33AD9F97281F27C452CA1E3A4F14F07E802E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:38.748{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853E798286422A8109B2C0CF0BBB4BE2,SHA256=0B5BDD1CA7D5740DAB377BECBCF11C61D59D672FD71F7B8D88D10CFADBCAEF0E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:38.390{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:38.390{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B66AA081280E9A6A223B415FCE0C5E,SHA256=FFBCD5A72B21703B8B5A0FE2B8878C89AAA7427D9D4FE5B400ABB27AB8F7FA0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:39.849{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD06BDFE8D8763785DAFE596FD409DA7,SHA256=C13FADBCFE1F4BCA544F9BA84EAD1E350617A36137EBE8D779325EAB19C6096B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:39.496{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:39.496{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77D87E1A332E6E67E3E1A184206629E,SHA256=00E8C3BE9AF458590AD65521C2055B03C6D516386C3ECD2F72DC6F7FB792E0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:40.959{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB8F4DE9E6FFDA28C8A050522921E8A,SHA256=B46CD04EF33109B07944760EFD6B09ECAD63FA6945F39846508F1B6F7BEE8648,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:40.577{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:40.577{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4888FD03FB9604E8EF2A5DF86D53EE,SHA256=4E6111C94AAAA903272928CF39C37B7D8267B2A35F44B3E0A0586DAB5401E7A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:41.673{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:41.673{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D214F609C199DAD15D18D31F9A894884,SHA256=D19D4B19BE90BFC69C14446EFE8A49DCAF19AAAAF173F2E5FFE39B2A5E80C153,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.881{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.870{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 11241100x800000000000000031385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.713{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.712{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E12B6664EA6F4C7CFB1CF0D71A246D,SHA256=7C7D38EDEA4A4EE8C45AE684A819FDA56450026EE3CCDD034825220A25E66374,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:38.530{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49967-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:42.054{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B8DB4316813F3472521342E77D4418,SHA256=7818C1E4B15D5531A120EF6E28321157037B01BCF059D950886A30BC9A154DE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.364{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.339{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.336{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.333{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.331{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.293{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.287{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.267{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.253{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.247{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.211{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.201{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.171{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.160{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.145{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.102{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:42.099{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 11241100x800000000000000031392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:43.951{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-16 11:11:42.170 23542300x800000000000000031391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:43.951{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B474BB0DC779E610F434BE828ADBF3FC,SHA256=7E50D7C93D20F855A15C6D0FB9F0B9573FF6537221581B6B72790D1E995FF75E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:43.765{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:43.765{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3B642069034EAE1683EA0B79A51AAE,SHA256=7579152BC5BFCA22A780FCE22256266D2BF4DAD15B13DE8338D27391F95BBBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:43.793{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=880BA8BB061C7DB641B5DDFEE33FD85E,SHA256=EABE5D7B6824746DB12392847E737511F7A8FBD1AA17C7423B544DFB981E53D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:43.152{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B370F35C6BA2BD312F67893256D1AF58,SHA256=4231CDD8499F13503AA6577629B2662649D974645F6C5BD12524B66F091BF365,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:39.522{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56843-false10.0.1.12-8000- 10341000x800000000000000031400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:44.944{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:44.942{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:44.933{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:44.930{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:44.928{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:44.922{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 11241100x800000000000000031394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:44.843{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:44.843{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C8A46AB29A0CA29945089767639D72,SHA256=9D7AF241C16ACC397DF46B319B52795204EB6227E681944792FE176107A50E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:44.234{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F47EC2FD10E06F7D0DEF3FD1FC38E33,SHA256=971C324264401FF7C06D5C7100DDC2FD1DA462DEDD9C8EBD5F7CCA37A869C163,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.935{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.935{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A1EE5E3B1847F7E8EE0DFD2CCA626B,SHA256=8D7A369524418AFC0BC6A128E984AD88BA7A14F4E1CF6DC4840B8613AE33892D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:45.338{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0C88E93439632B833C1A28C5F9D2DF,SHA256=0161C83C5D91DB90331E05DB988BEAECC91F441CE4BA587C0E391C2167A04A96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.597{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.597{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.596{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.595{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.594{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.568{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.558{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.543{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.505{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.494{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.479{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.472{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.470{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.466{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.463{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.462{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.458{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.455{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.454{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.453{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.452{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000031401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:45.449{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 11241100x800000000000000031426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:46.976{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:46.976{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA314718D6099BF23810F9F8E0E618BC,SHA256=07A3BDEFE51E33DA91CBCCFCD23CDF607796B5662B72D04C72EA64692362385E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:46.422{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D854F5C0CD4E9A1B6FB1FC2352224D9,SHA256=D26715AB33369D7ADE8ED5F4459B271CAA3E91DB1B111685A66BB2BDA751F5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:47.524{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D72C8616620576F4EDC725F5B321F05,SHA256=DC77911A3DACE072200B25E9E5478F02B7038E168C8A46ED79EE2CA3F3473473,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:44.654{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56844-false10.0.1.12-8000- 10341000x800000000000000031463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:47.160{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000013578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:48.616{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF8B88384CC512F0072FC13538A842B,SHA256=559EA7A29C62C85069A8DD0B315C4994F15C1C50C86E663C4CB8E6BCD790A775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:48.580{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-032MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:48.579{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\tmp\respondent-20230116111158-0322023-01-16 11:45:48.579 11241100x800000000000000031467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:48.578{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\tmp\surveyor-20230116111156-0332023-01-16 11:45:48.578 11241100x800000000000000031466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:48.172{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:48.172{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA0A803BF12138481141B21789C69D3,SHA256=B7353DE4D2A5BC15A1A54475D582E996D882201AF0BCA8AF7B29CE80FC179DFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:44.478{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49968-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000013586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:49.972{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:49.966{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:49.954{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:49.947{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:49.945{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:49.941{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:49.931{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000013579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:49.715{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8833BB78FABB01D9879F7E7CEB5810,SHA256=C3BEEDC55A64EA7148EF48B539867705C0164E3057ABC5D92BD1C0B05854FD77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:49.585{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:49.269{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:49.269{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CCAD4CF1D2D57E72F646DFFB1475E3,SHA256=A7CBA90D127BC06E9F51820A6DA1928E2D07B2EDD637075E5A66B5368DDB5435,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:50.349{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:50.349{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF54CFE38C0345CE5AD548FF523811B,SHA256=4CA285061C776C1545E161A658542D7469481ADD9093F9DFA05938B75727C122,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.131{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.128{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.126{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.125{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.120{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.115{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.114{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.113{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.112{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.109{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.108{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.103{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.099{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.089{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.086{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.079{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.071{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.052{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.045{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.036{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.030{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.023{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.015{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:50.010{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 11241100x800000000000000031477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:51.444{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:51.444{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361918E5EB96B69E1D71D3048E9FEAD2,SHA256=44C1CBF96CDC615E97E7BBC040F26282B108D33DA0FD528A2C4DACDAAFF92020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:51.303{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA5AC79D129D4599531AD8B1B42B729,SHA256=19C9C6D6067D7E765A84F2511F9846D0CA0AECA2FFB1D2C202E42BEAF032331F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:51.116{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-16 11:45:51.116 11241100x800000000000000031479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:52.552{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:52.552{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F213FFBB2810044FDEBCB89D23229B,SHA256=A9935DAD64CB9F3E88A3ED3712D1097019D792A5D2A84E646D4F9B5F5FA9B964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:52.906{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000013612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:52.342{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2A93530C7F23C8836505C232FA11D4,SHA256=79B423B9A66A2A058AF8D44021781EE5842697498E0AE4690A1DBB1CA6F885AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:50.532{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56845-false10.0.1.12-8000- 11241100x800000000000000031481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:53.636{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:53.636{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C14F070855AF80A1B37BE90C4E2337,SHA256=9FA8450776B63C6CA0018EB858B9FDEFFFF2DEC34CA378C63F891522BE2F8A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:53.425{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33102807D78D9C37AF4F1B651BC7883B,SHA256=DB568BD0A45A93B6570F730585FA4F7921EF384A9288FC793ABD03C3A931114B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:49.551{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49969-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000031485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:54.742{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5B52B37465A927E107A17970200C3986,SHA256=E2F84F4737ADD490D1E978E7A5BE3EED208EF64C11E560AA64105AE1BDAC5487,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:54.711{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:54.711{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B857DB911B714B43EE0BFF08B9C9F0E0,SHA256=9D570A1F4A73DBB7181E44A5B6F14C8615C1BB993EED21DEBB4AB41F6EC25F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:54.527{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7520A6EBFE9C63B096A5980EA7FB0B35,SHA256=0EA234CC675DDF8D17303866F7C37CD79BB7AC9031BBD2F4CD76B86C754A5211,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:55.799{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:55.799{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A942C4582A35E53A68D85B29A339EF8,SHA256=CA6DB760F4897F0EB15B287C009AB890B7DF4D1E33D63B534A125B2F76BD3340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:55.627{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E097BAD853ABC1A5D50AFE7BD5A6F4,SHA256=AD69ED99CBB38B361E4859D207C3B8252AE628133CEA874F54A0DDEC5ECD2EE2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:56.882{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:56.882{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6824F0A2E0A84F8CDD3524351CF35C,SHA256=BEBCEEDC0DC23A7E5A74EEFB2A784F702A1090A14DE9C029AD34DF31A7E64C57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.964{312A7A06-38F4-63C5-BB01-00000000B002}36522416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38F4-63C5-BB01-00000000B002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-38F4-63C5-BB01-00000000B002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.807{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38F4-63C5-BB01-00000000B002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.808{312A7A06-38F4-63C5-BB01-00000000B002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.714{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C843660A68369841F852CAEE9946C3,SHA256=C91A58CC8FD40EA93D67CD42B5EF8A3CF36BD21220D24DB5C0E0244FCA53B9C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38F4-63C5-BA01-00000000B002}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-38F4-63C5-BA01-00000000B002}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.135{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38F4-63C5-BA01-00000000B002}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:56.136{312A7A06-38F4-63C5-BA01-00000000B002}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.949{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1970C7DE268A72AF84D3E3445A59BDE8,SHA256=D6D58C6F8F4CEDF71FB471E51AEB7BECED885314545AA1C5C6A5FA6A2FE69D16,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:57.967{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:57.967{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8C6BEFFA82CFC2D1720FC29F35E66E,SHA256=87F0E457E3066953C7017535582E19AFF5840DB97DE669C2BB0EE4C0C6D67B07,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:57.552{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 11:14:07.413 23542300x800000000000000031490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:57.552{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.703{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5528B222B94E65C91A4D67FAD6C6811D,SHA256=474F662A0291FCBED6A83629B036C6FF9EE45F23865BD74880D8FD5E6A08CA32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38F5-63C5-BC01-00000000B002}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-38F5-63C5-BC01-00000000B002}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.328{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38F5-63C5-BC01-00000000B002}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.329{312A7A06-38F5-63C5-BC01-00000000B002}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.296{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E731667C654D446F93D6A65536AF9B33,SHA256=251356C952FAECA15DF8507205C022C7CBB7F6C32EA6A0894655A9F080776F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:57.187{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D5136E0630CF99EF0936E73DD7023A07,SHA256=09B7310D3944F6B94D3C18CF01CEF47A6141D2152F88A1B1B7BD69EC49FBEAB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.854{312A7A06-38F6-63C5-BD01-00000000B002}24082412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38F6-63C5-BD01-00000000B002}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-38F6-63C5-BD01-00000000B002}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.682{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38F6-63C5-BD01-00000000B002}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:58.683{312A7A06-38F6-63C5-BD01-00000000B002}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000013663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:55.449{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49970-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000031495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:59.053{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:59.053{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417DEA27071BE6BD1FF7934253A964D1,SHA256=D55832358027FBA6A7B11BCA612EBA1E886836197A07442AFF60FFA9DFFF6441,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.714{312A7A06-38F7-63C5-BE01-00000000B002}28283608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38F7-63C5-BE01-00000000B002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-38F7-63C5-BE01-00000000B002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.542{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38F7-63C5-BE01-00000000B002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.544{312A7A06-38F7-63C5-BE01-00000000B002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:45:59.104{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B768EA7C78EF6F9130B0EC461BCC0E,SHA256=25465B5C05D46842510B2D35326722BC7304946E527D21820F98610CE61CC023,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:00.129{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:00.129{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52BE19194D954435F653855EA7A503CF,SHA256=6D87A20627DDDD8A251DC896451DF55488AD172D3D82B2ADD5BD6D81D36E1090,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:56.011{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56847-false10.0.1.12-8089- 354300x800000000000000031496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:45:55.715{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56846-false10.0.1.12-8000- 10341000x800000000000000013707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.378{312A7A06-38F8-63C5-BF01-00000000B002}33962932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38F8-63C5-BF01-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-38F8-63C5-BF01-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.218{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38F8-63C5-BF01-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.219{312A7A06-38F8-63C5-BF01-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.203{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA5F937676F7EECEDF3C4F1CBDFAA62,SHA256=D0EE84BCDDE5BDCA21217D1BD96C87128458911EF10430587F9601616ADEFB20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:01.212{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:01.212{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D8CB184AB61433CD3C251381AFC541,SHA256=032F8A62D0F58D29DDC57FB5B6C6CF0E09EF96D562A73DA0533443C34DC49095,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-38F9-63C5-C001-00000000B002}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-38F9-63C5-C001-00000000B002}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.352{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-38F9-63C5-C001-00000000B002}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.353{312A7A06-38F9-63C5-C001-00000000B002}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:01.296{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5E0A306BBD45477CC621349CF1F482,SHA256=85E33F1CB562524CD1995D92944671182E9C0FBA7CB6CFB0617C813512F8056A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.946{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.941{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.396{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.381{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.373{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.369{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.365{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.362{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.318{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.311{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 11241100x800000000000000031513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.289{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.289{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53AADFA9AF77D87050138917264B962A,SHA256=3DAE1D0D7BB50D5D589B8402D8626A21013C29E2328255229752964078C24620,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.278{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.271{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.236{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.226{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000013723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:02.411{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=367B19A6F8B8D0E5D0E32FC9D09A650E,SHA256=B4B5B04614195773C6DE46D7E74B6F6EB15E9B69E3C9CD2BE89A5F6C50A308F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:02.380{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF7C5D37C5AED8488D1CE0BCA9437CA,SHA256=B6AA7AF37401C0D5EE9295DA4A27CAB1F8B5849AD017A29222E51B67AF5FB5E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.212{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.202{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.191{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.118{FCCA13C7-3392-63C5-AF01-00000000AF02}33766120C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00A90) 10341000x800000000000000031502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:02.113{FCCA13C7-3392-63C5-AF01-00000000AF02}33766120C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00A90) 11241100x800000000000000031526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:03.323{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:03.323{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02737E85F9FD98A8B3760E046809F654,SHA256=C1EAB443796F08F83EBA8B623E53794C7FAE2064BCEE5A7C163C3592481287E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:03.474{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE024B37F74C874E5737CFC3EE5A904,SHA256=72623BEA1B9FA99E07EF9D77B4761DC6A9C4202E796DCB1102A4FB41E96F0B88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:00.585{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49971-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:04.461{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22393458AC9855E58B85D0B18AB82074,SHA256=CFA583E12BE203D129E465CE0214B8F196120052B0CD161D5ADC6D89D485BED0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.994{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.993{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.990{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.987{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.986{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.979{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 354300x800000000000000031533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:01.615{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56848-false10.0.1.12-8000- 10341000x800000000000000031532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.523{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.523{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.522{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.505{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000031528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.398{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:04.398{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69FB7EC0C9FAD9EEABD8BBA2066B3D9,SHA256=72C2D1AE728390EB8AE3AE279020D7A3697CD06C734AE7FC993081D0B015AB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:05.563{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F565244E45C6F8C4A55C264A74B551,SHA256=646A71F24F08D16C21FF37B63F85D16525ADF8AC8D953852067D20B2A0EEF946,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.634{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.634{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.632{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.632{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.631{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.602{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.591{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.578{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.544{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.537{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.528{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.522{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.521{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.518{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.515{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.514{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.510{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.508{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.506{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.506{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.505{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.503{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 11241100x800000000000000031541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.455{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.455{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E49BD108F27C5BCB656229F5F69836,SHA256=13C82C922FB146CA6EB186E308670DDC5A64174591404B0F02D6AD7E353877E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:06.639{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9B87DD5455A32E23CE4533194D7FA0,SHA256=9EA3B7435C5FBCBB24470103CE2142140D5228D0870FB13DAD57E954D6455267,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:06.550{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:06.550{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46106C2337D7A12846F0A9332849DB8,SHA256=20B4F3DB406B368D52A10EEA453968F4694DEC9EC78381FD94FEFF66D8C833DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:07.738{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B716463564EDE6AF9E76819D1350CE,SHA256=AFA3ED0D805833F8D5A539C83794A19168EE141067CE55059FD8740484920BFA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:07.639{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:07.639{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A74A780663D23239C9FBED1DD3C86E,SHA256=AA62B967D60F3BBAEB203C766BF20BD58C21E44592EBA139808CC81F5AAE2851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:08.834{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28AE1E70A1DE6E5B4D2E58ED4DED9404,SHA256=B4D1E346010965C7DED3D1A49007047D4A8377B288DB2A60FB3DE2252449AD25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:08.727{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:08.727{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9B276E591B3CDBA09DA77C347F4B65,SHA256=834A45C1B20C3051BCA6F673820A548225F17A71CEDE1099092D0CD6789074D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:09.996{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:09.967{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:09.961{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:09.952{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:09.942{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:09.935{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:09.929{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000013732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:09.927{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F433EE333D49ABB8D43275C149CB2AFA,SHA256=2F76392800F87AE9D6D32AA1F7BFB0B61F6DA13BA74E4496BE5B74B414BBD690,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:09.925{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 11241100x800000000000000031572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:09.799{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:09.799{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB8754F2B18FB1815255BDD5E43E27B,SHA256=D0D4D3EB7C8B036FFEB14FAE8DFBDF30FFED21CECAD92E5EDB6E7A7F135DEACB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:05.562{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse172.85.160.198-60709-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local3389ms-wbt-server 11241100x800000000000000031575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:10.883{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:10.883{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9C57EB73108CE258A02F7110829C0C,SHA256=B55DD0B6C9F1AFE9C36DE7633167645B74A4E6CF7539B60CDA9E186B6B78175D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:06.576{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49972-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000013762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.110{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.108{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.106{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.105{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.102{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.099{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.098{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.097{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.096{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.095{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.093{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.091{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.087{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.076{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.074{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.069{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.060{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.041{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.037{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.025{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.018{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.013{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000013740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:10.006{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 354300x800000000000000031573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:06.692{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56849-false10.0.1.12-8000- 11241100x800000000000000031578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:11.972{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:11.972{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864D9A38D9CE1BC74D9612C6F042E0B4,SHA256=8C96B27C77F70E7581330F4F97A76F94F20A468874446ACF16288A2097AE8A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:11.026{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9495A297204AD116B95D8896131EBD37,SHA256=9D18115A7BE3E458A632CD50AF348015D1F1A8399C2C384925023296EFE60B72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:07.452{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local50399- 23542300x800000000000000013765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:12.100{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0B40B51DCBDAC37057FCC2FD70ABFF,SHA256=A49C6D3E104909C215491A201504155F290131698F2E4CA6527C83BFC84DB22F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:12.888{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 11:11:01.844 23542300x800000000000000031579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:12.888{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5ADE043315E664E4AB418DD19E99721,SHA256=5F6D130B8138B3D36DF12163D27147A7906B8B7E2E335B208F62549287D6F47D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:13.194{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B78D3A79E176BCC8C4D23BC6417CD4,SHA256=477D05981F586DC79CACAC5028BC7FDFB2771F7A1A83DD24CBACFB4FE2B967BC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:13.087{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:13.087{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64571EEBEC26FF245D632108DAA53719,SHA256=5E9BCBF7C67846235453FCC53C9B3DD9943F4DF01F2C7F7DB6927038A6B4F73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:14.290{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EDEFD9EEF9E23CBF32A4B18D044F59,SHA256=3B6AD7DFBB17DF6AA08AF69C0C69531CE218D72AD6C52A123D2DEF9B22B04371,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:10.338{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56850-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000031585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:10.338{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56850-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 11241100x800000000000000031584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:14.196{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:14.196{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3094E870D2BAF44E046B07436719B4,SHA256=2F5A10ACE2DEFAF1FAF6243A35B07EA57F58B2106D6EA557ED9022A81F775AFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:12.523{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49973-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:15.384{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB95FA2BD98DD308FF4C984C5DDD71D,SHA256=EF9940A1ABB0B2E0C121BC4C8CB2B32E6115729A532327031C898C81501734F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:15.277{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:15.277{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA3C2CC2FC7A18155F61D323B6618FA,SHA256=DFE9B67F0BB012622957E08A8406E8282B46DE330861B6CDAB3760214358CFB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:16.485{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B4D85E8BCF2EAFFD99793AE7B90FED,SHA256=B8DA89065749DE451E81270139FC36891B2BFC7056AADE45F528F8F28B5D4182,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:16.351{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:16.351{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE4CADD01201FBD2F14DA4ED23F6262,SHA256=0124196BA5C3E971C1556DCF163C5BF88D6DD2900456EA5A13A726EAF893CC7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:12.518{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56851-false10.0.1.12-8000- 23542300x800000000000000013771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:17.586{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96FA98DEA5166ED19D67B0AA02FEE41,SHA256=64FC20AC231F05F49B3B8F7A7100256388E851F6D5B67FCEFADD7AAB03F17A43,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:17.331{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:17.331{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4181F999CCC5595F4A02E5DB2B3166F7,SHA256=767EC09E6FC8EBC3A07D1AE6FB7D66DE3F44CD0E6117A82923455C588F91E406,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:18.435{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:18.435{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74287C75C845E389F5E4D311AFF9E6E9,SHA256=47693F60CC662EC2D38F6CF4C0CC60ECA9FCC17CCEE16A07EA02E263E89370B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:18.896{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:18.689{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89535E951044FD9B5DBB2A893FBA8812,SHA256=C6E10B3B78EB0FB283A669E1959053461395DAC3294C934AB6FD9793E9F85E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:19.774{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BC7F794BB3871782F1C3B8285380D3,SHA256=EBC058BFD8ADEA349A7525D5E2EF332CC2DE93A948424A7B1A139C1F78E8F698,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:19.531{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:19.530{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3496DCA61D61388F81F62A3CE6599F6C,SHA256=F7FC3D982D511A3C1382F5D5A4D3CC086DFF46FEDC6759098E6F34EAA73AF0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:20.866{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D3231640470ABEBC57FB6FCDB84931,SHA256=58ED1F7B44AE1F57D0D8313F99DB54F5D49725F1C3DFAE2A5BA4547F56CF18FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:17.250{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49974-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x800000000000000031599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:20.619{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:20.619{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CCF6D5AA27BA65E0C6BC3E0DC8DA34,SHA256=D9E6BE76D04FBC4646320117D36B7C4CCA0DDDE84BF9BE20EEB979FF4CA5EFFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:21.856{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7946DE7917E6B525A73821A74E1DBCA6,SHA256=BC58F99BC420C3F771B4BAF75DB8F947D7E87A1CA6885B1637C48E667D577CBF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:21.705{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:21.705{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC427D635193187D783CCE220D6DF218,SHA256=5A4655A0545A32C690B1C53F21DDDB459225DAF7D8629719DA4624248247D574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:21.717{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-023MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:17.699{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56852-false10.0.1.12-8000- 11241100x800000000000000031600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:21.099{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-16 11:46:21.099 23542300x800000000000000013780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:22.930{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03914B2D49BFFC6B96DFE665FA099A3D,SHA256=421DAB11E7E5F4499783D7A7A9466490EFB1C3E8477F4D5E0B74DA620DEC7824,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.742{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.742{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0696AD20901513AA3411E767D57E9DEB,SHA256=9BC5CB2F264E8BE630221D958A0B3DAEA33AEE65B8DD21F4E645E79074A2DF5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.712{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.708{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000013779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:22.726{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.302{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.292{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.285{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.283{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.278{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.252{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.231{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.224{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.217{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.189{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.170{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.155{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.147{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.100{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:22.098{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 11241100x800000000000000031637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.839{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.839{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A14B146599EACE67188B71625BAA9C,SHA256=5CC1F0B51203C803404373F1DB2844F24789E8B489F3132C2D6916BC2F9A0CB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:18.435{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49975-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000031635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.640{FCCA13C7-390F-63C5-9C05-00000000AF02}61283292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.464{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-390F-63C5-9C05-00000000AF02}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.464{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.464{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.464{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.464{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-390F-63C5-9C05-00000000AF02}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.464{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.464{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-390F-63C5-9C05-00000000AF02}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.465{FCCA13C7-390F-63C5-9C05-00000000AF02}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:24.025{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6514AF8F9A8B79D35A849644C300C62,SHA256=05F8EBB25D85FF7FE2EC6AE69EB06EBE112F5A8AD410723D5AF32740E2649F7C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.701{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 11:10:32.859 23542300x800000000000000031661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.701{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C15BF55CB18BE0D6688EF4D5C7A55BCA,SHA256=B7C1510FEE5688EADC0C32ACAA838C4E3242A876DE40B390AD6D0965332FBDBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.701{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3910-63C5-9E05-00000000AF02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.701{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.701{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.701{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.701{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.701{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-3910-63C5-9E05-00000000AF02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.701{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3910-63C5-9E05-00000000AF02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.702{FCCA13C7-3910-63C5-9E05-00000000AF02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.671{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.670{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.667{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.665{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.663{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.654{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.650{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000031645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.011{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3910-63C5-9D05-00000000AF02}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.011{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.011{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.011{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.011{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.011{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3910-63C5-9D05-00000000AF02}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.011{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3910-63C5-9D05-00000000AF02}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:24.013{FCCA13C7-3910-63C5-9D05-00000000AF02}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:25.125{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A9BAFFA7E64F730AF42A0DF1F11F1B,SHA256=63CFD31485A7DB1CDD431194BBBE9AB45D9C1695BC5566057B884AC9E21F6B73,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.939{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 11:11:01.844 23542300x800000000000000031697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.939{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DB355ADBC3CABF2586DE8D731F6B8C0,SHA256=FFE768FC80ED298E28107FD448858F21C08C5928BFB7CA6D05D5BEEFF166B52E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.554{FCCA13C7-3911-63C5-9F05-00000000AF02}65124720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.384{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3911-63C5-9F05-00000000AF02}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.384{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.384{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.384{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.384{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.384{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3911-63C5-9F05-00000000AF02}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.384{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3911-63C5-9F05-00000000AF02}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.385{FCCA13C7-3911-63C5-9F05-00000000AF02}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.279{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.258{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.251{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.239{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.213{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.208{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.199{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.194{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.192{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.190{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.189{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.186{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000031666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 11241100x800000000000000031665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.129{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.129{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E88EFF90393681A66B2D8AA41E1385C,SHA256=AAE17F2497EB6D96136405CDF1A3F604F524789E63599E4DB37324F421E02CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:25.008{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AAE519A5E418A59B93C89DFF76BF801D,SHA256=98F6949A8B802C9E3221B9329F488CF563E0F7C92839A7DDCB795BA8A68DB9DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:26.221{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91BCE314203695957E89A73BB69F415,SHA256=EA4EDFB3CF5B31064371831E62AB679744F3344147DE89196851D2179AD01C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.972{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3912-63C5-A105-00000000AF02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.972{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.972{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.972{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.972{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.972{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3912-63C5-A105-00000000AF02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.972{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3912-63C5-A105-00000000AF02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.973{FCCA13C7-3912-63C5-A105-00000000AF02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.434{FCCA13C7-3912-63C5-A005-00000000AF02}62245392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000031710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.125{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56853-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000031709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.125{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56853-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 10341000x800000000000000031708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.293{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3912-63C5-A005-00000000AF02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.293{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.293{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.293{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.293{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.293{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-3912-63C5-A005-00000000AF02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.293{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3912-63C5-A005-00000000AF02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.294{FCCA13C7-3912-63C5-A005-00000000AF02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000031700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.065{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:26.065{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25187B59A6FDDC3BBA03E3213AEB6CE,SHA256=9FBDCB6BC2C017CC812F04AD5E3013B204520234C11FEB8DED8E2C078EE32A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:27.922{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=01DD8B16EB6288CB317E9B21B6781303,SHA256=0752260A354EAC41D6BBD7446E154D98FBD55EF952663D86A8477E866B32085D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:27.313{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762430D887454D124CCC97F7CF6F790A,SHA256=7A88B50E6504AD9B7E2224558D6F07E3DC8D2ABB96EFFCA9A264F1EDE99A971C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:23.588{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56854-false10.0.1.12-8000- 10341000x800000000000000031722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:27.141{FCCA13C7-3912-63C5-A105-00000000AF02}66964904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000031721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:27.125{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:27.125{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDC12D286D540D2A4482A473B362C04,SHA256=9ED497C140AB00152E0A47A92F1063431258FC384C32FE66681AEC8F8EAD5647,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:23.530{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49976-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:28.409{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC80048E477B6BEBB830905A9134C99,SHA256=76D8F12E1D7C39902BB269F5F855929721D29C389FC6D8637CB00BBC671E2E5D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:28.217{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:28.217{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA9ED8C9E07B8CC40C4BF7EE9FF0E3B,SHA256=578DB985E93C72AA60A4A1327E6D8B0FB28A47E856519947F4D70DCB00F1C539,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:29.971{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:29.965{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:29.956{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:29.948{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:29.940{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:29.933{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:29.931{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 23542300x800000000000000013789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:29.509{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33004D8C8B20B749CC3F1E5CF0DF7FD7,SHA256=7A2C2A580D7C8076C9EF2DB1234400C9D5898A902518813E8199316AA66039B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:29.305{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:29.305{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265F32B5D06C7F411F726F9D388ED579,SHA256=210D9C2D10DC2E60853C3234165D34D2AC2BB0B0E5B5CBEEE727E6272674A82E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:29.117{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3915-63C5-A205-00000000AF02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:29.117{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:29.117{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:29.117{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:29.117{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:29.117{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-3915-63C5-A205-00000000AF02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:29.117{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3915-63C5-A205-00000000AF02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:29.118{FCCA13C7-3915-63C5-A205-00000000AF02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.875{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3EAD342B775E5DAD7287EB347426DB,SHA256=77346946AB9E01D821D56318314DF1D6E104C26A4F130FA4593D1CE572898231,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:30.385{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:30.385{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735B23CA920CE5C38AE0828FEF21DA9E,SHA256=25CF94B5D36707EC0F6841A0E9AA54D65074EB34800DE7BC4E1EBCBD851B6426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.114{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.112{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.109{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.108{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.105{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.103{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.102{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.100{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.100{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.097{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.096{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.094{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.085{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.077{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.075{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.069{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.061{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.046{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.043{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.032{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.025{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.016{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.008{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000013797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:30.002{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 23542300x800000000000000013822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:31.897{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB11145D8932A6C70B5868301512E4FF,SHA256=2E1B3637E00A3B67B7E50F4C7C06FEB8EF2AD29A9B00110C0B86ABC1310DBA46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:31.469{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:31.469{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFFC1511349858F270DC0E50E8D3E1A,SHA256=2FE43D3A464A0D6146A979C2226EDA3F39C3037E5E167457A2ED8DD8CB1AD8BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:32.991{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB49DED917D8398F6631B3D5F768FB8,SHA256=C42DC91D848E873A709AF6F3BD73A35131713D2D97FBCA119D848FF2DC0EDEA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:29.556{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56855-false10.0.1.12-8000- 11241100x800000000000000031741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:32.536{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:32.536{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1218C7434250B60EB8CDC80E5AFC4A15,SHA256=3EB463CE80F722352FD60E492BB69FAED735015B55AB6854216259016BCE368B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:33.610{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:33.610{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AEF13DF97DDCD2AD168E6636DD8AFEF,SHA256=32871DDBDFB5D6DE96D553D7954E6BF7D7543B782006022D9C58AFA20955E538,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:29.486{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49977-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000031746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:34.667{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:34.667{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB5F7544E9C89F3FC9156C5BFBB7133,SHA256=2582BD4CF317887662690F236F5A113DD4524F1B43ACF69EA1DDB32FE2C3C444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:34.088{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E833EA7AEB08AE1F9F0063941B9D666,SHA256=3317F7FB7D3DADC6A964615CFA2515DFA98B1923E754FB5DD3EA300C3CCE65A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:35.755{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:35.755{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF9BAB19A9A871C6872133E5BCC2B31,SHA256=ABAA602D6185A61BC30B8B3FD8DD1DF96B717A947AC6A6C3110205665AC5CFBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:35.180{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9891102EFC858D4ED4B5B3C636AF4E3,SHA256=843F30A43BF8F512263649E248E1BF8948F34DF566C43304BB07520B1593AA4B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:36.841{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:36.841{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A3B62024D613DADA03695F50F0F7D4,SHA256=5BB3944B6315287027EB9CA2FD55F4E2FD792E79BFF4286357E69441A5E8C728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:36.269{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2BC6CC67C585E836A1AA3809A3109F,SHA256=C0E43ECDB1DB5329380874E1F397B295E75C571998DC519582B697466E5B6CFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:37.927{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:37.927{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CB556CA84A45AA0C41A784D10C87A1,SHA256=B66E5CB08D3EFD38D31449C2B30AA96EEA99CA739AAF291EB5D5F8DF7C9E521C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:37.354{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F4B6C02FA7C29E429297F5D0D74F49,SHA256=406E0DC696B30F5054BD21C170A446E7DA98E011A863C2FECB8C2F2229B44AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:38.433{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5637FD65B978B248209310AD82910878,SHA256=2D135CC4BB6944C2022A9EDDD413870E7D23E27F52673EAC4B911E2D14F33986,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:35.520{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56856-false10.0.1.12-8000- 23542300x800000000000000013831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:39.534{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A10458755C18667A0585CC2E0DA49A,SHA256=871D0A4CF7AAEEE30DFDA417C359A00F6049A4CC7A681E2EC0E200DAC677FDF5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:39.011{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:39.011{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58DECA45A7C214C4A081F501B26B0D9F,SHA256=3E732C6A9B40ED903F69BFE14D6605B7EC37E2BD692A7871BFBE20FD9E02606F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:35.408{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49978-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:40.632{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03BB2CD93AAC2C61B7A9CF87D18D87A,SHA256=F186052C192CE6E75429ACA4EAB737D6F92CF1DF77EAD9AB173A0318EBD1C702,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:40.089{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:40.089{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD3F36B5A235A7CCFB4FDEC5D83C7DB,SHA256=02205A1C0244F974F934A8C199E735FF61F6600FA31B399F12C5620BACA2274E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:41.726{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D4CA536A502EA2B29280782E276475,SHA256=859455A0F2DA9B13699D76D61150076D8A7B928A5F37B726521207C025217EAC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:41.176{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:41.176{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D2EE9A35A1631F1C36C73E47C955F5,SHA256=5ABB32BB034160CD63E6CB44CCB8FCB8DABC005BA9205BDC8F855768D9956D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:42.827{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A7C2E480D2B42E129CC15A57CE9419,SHA256=5483BB5D6764BA59F7F152FD0BBFD40CE741CB3641957C3493BF3343382D8EFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.764{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.758{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.325{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.314{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.303{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.301{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.299{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.296{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.269{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.261{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 11241100x800000000000000031772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.257{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.257{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D637BA2C8BDF26FE0ED6D2176AC33D,SHA256=EB8AF9C55E0CB4DE8C266330AC8F7D53FDF19198205FCE5EF2FDBF26C05FA54F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.243{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.230{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.225{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.175{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.163{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.156{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.145{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.136{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.100{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:42.098{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000013837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:43.924{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95868267372BDA596F3A653CD3EB44EF,SHA256=365EA6ED264A0DFE0124C5EC93FACEB5873CAFF5A072A916720727B9CC614B78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:43.966{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-16 11:12:42.170 23542300x800000000000000031786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:43.966{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9C418244DBA1659F96C8FAB2EDECD3EA,SHA256=F0D34286806E70DED07F888B7C778BE27BFDDEF145DDF5031796AC121D0B2F7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:40.667{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56857-false10.0.1.12-8000- 11241100x800000000000000031784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:43.297{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:43.297{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27AAAB3E82A0F178427C59A56D44A0C,SHA256=E544F375ABC4893A8D9A5D11E6B3C5003A140FCB7CF07323F61F63E473D7C174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:43.799{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6D862DB7FF93C170CA9F3BE51B95B018,SHA256=BB281EEFE6CAB87C39976C1A778ADB2A192A66F067F90B0ABFBC2A9EBE4F6782,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:40.539{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49979-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000031795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:44.808{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:44.807{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:44.804{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:44.802{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:44.800{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:44.794{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 11241100x800000000000000031789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:44.380{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:44.380{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABF8562178D454EB00FF41D2648CF62,SHA256=239DADF3FEF654AA226410C257A25C04165EC7F3F62766BA84AA56EC40F15666,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.450{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.450{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.448{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.447{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.446{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 11241100x800000000000000031814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.439{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.438{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5078371DC51323412C5933BD45FA51C,SHA256=80BA94D1766F7206386E09B09023DF15D2EA1F334AAC750EA6CBEBF0C1530C05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.418{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.410{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.395{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000013838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:45.021{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF284E3D50995CC3AC0729EF4F29312,SHA256=831BB415E9CCED5D421D4F13B7E0CADDDEBFDC26E2DF58794CA4B4B0C6070FAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.369{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.362{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.352{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.343{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.335{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.335{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.330{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.327{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.326{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.325{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000031796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:45.322{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 11241100x800000000000000031821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:46.526{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:46.526{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B02F9DCEA30158BC8E30B8CFF45E76,SHA256=D376774D73703E30E6C326738E2F8284B89D9C358582826219F80DE4980B48BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:46.114{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB00186F6F8819D6802BF0A74C7D2DE0,SHA256=45933CF5959159D675048EBB9E253522594CD685C5B23154321A350E87AF6E5F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:47.612{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:47.612{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85661980BAB6DEE9993469AAEB380545,SHA256=1A23A61BD28443494634BC111D89EE11E1D54A4AADC7C29900F8F30A9DB18DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:47.199{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E25602E2D54E481584AE696685C4A3,SHA256=D094B7A863F76AE3502FA2AFE44173B79E3403B1AF8882726AE5B1EB5BF065D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:48.706{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:48.706{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC5FDE3686BDFE2D4050555556F0BC3,SHA256=BEFCB30CA7CF5AF47C9A2A27ECAC6570C87A122E69C534FA561280189D060B73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:45.603{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49981-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000013842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:45.112{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49980-false169.254.169.254instance-data.us-east-2.compute.internal80http 23542300x800000000000000013841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:48.301{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A30154183E8B6A6091AB6BE8EE8E78D,SHA256=FFF8F42EC1AF19F4357EF9B8EFD6B263AB0FC4B03AE220F9BC61669E29389D23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:46.601{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56858-false10.0.1.12-8000- 11241100x800000000000000031827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:49.784{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:49.784{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA53BC77B592B0E3BE5B7B85193EDA8,SHA256=00B62A5394087B91123090E2D9C5C9CEDEE239FAB2CD79F0BC3C49B8DB3785C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:49.985{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:49.975{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:49.965{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:49.950{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:49.941{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 23542300x800000000000000013844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:49.388{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FFC24568AACE3F12E0E3D67D1E7188,SHA256=312F8E28F2DFF337E57E5C4B5EA2AA9F41694F04D6D71B580EF897CA80EC7AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.927{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4ADEC653AE0C177DC2AE685BC2B443,SHA256=A1A167E4C603E5B7AEB26D625C5CA1CD5C403456AA01540201C91FE0ACA5AD1B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:50.865{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:50.865{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F60E05FD538F334F7EC318D507BD791,SHA256=B1AA8DCF700914EB50AA3F55157E2E7F3A466724738B31028760F1A4CD44865E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:50.122{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-033MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:50.121{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\tmp\respondent-20230116111158-0332023-01-16 11:46:50.121 11241100x800000000000000031829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:50.120{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\tmp\surveyor-20230116111156-0342023-01-16 11:46:50.120 10341000x800000000000000013875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.186{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.180{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.178{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.176{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.167{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.161{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.155{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.155{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.153{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.150{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.148{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.145{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.141{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.136{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.134{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.129{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.121{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.105{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.102{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.092{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.083{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.075{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.068{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.063{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.025{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000013850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:50.012{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 11241100x800000000000000031837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:51.964{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:51.964{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C9CE57AB67278F41AF760F8F0CC61F,SHA256=BC0DCD26623D343977D644FC51CD01AC7FC87D243A86A115C04446D2A83E4957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:51.131{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-034MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:51.114{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-16 11:46:51.114 10341000x800000000000000013881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:52.919{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:52.919{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:52.919{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:52.905{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000013877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:52.214{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DD63E545BE531CE3C6E37D42EDDB4E,SHA256=E672301D4FBE1366004A98EC0B9B29D2C0C80D6C849319E218068E71E2A0F385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:53.304{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F233713431A3E4FEB80FF197C775922,SHA256=6F3698DF3DFAE1A78C9945671A4619E72B41B06768DE209EDE76408982D176A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:53.054{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:53.054{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA12DEF00E44EB0F5780A800B10C1BE,SHA256=2B3A4548FFBF241413B5046F1BBB28E2CD4BA4195177C4EAC074F34CE70014E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000013884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:51.458{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49982-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000013883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:54.401{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67E489E587D7557529D17E0E23FFF42,SHA256=200BC8BBE722DA947CD49BBE3FE764E6E980A6F03627D7363866F80135F21F93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:54.203{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E4648A847DAD2ABB824012DAF7C61257,SHA256=58E195603ACB38FAB735B98FCD1C5431AB9FCDA7BF9CF54CA91FAD2766556E29,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:54.156{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:54.156{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BB5F7B8DD407952671558F5CE4ABF3,SHA256=784E823D3194A1189D7BB05383A80D759198D2A5FFDE62E893AAFA33B4689C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:55.500{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7B9479894C1A39473B87045B893384,SHA256=1DDB351398C5EBA7263B6418A9346458C70B19A7E029DDA026FA4FEC70EBA27F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:55.231{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:55.231{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75989F7FF2F12072FA4435FFC39923F8,SHA256=85C3A6303CB292B84B2EB36E22831C4F33ED32E22CFDE0711FD02DB7AB131AE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.782{312A7A06-3930-63C5-C201-00000000B002}38041864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3930-63C5-C201-00000000B002}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3930-63C5-C201-00000000B002}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.641{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3930-63C5-C201-00000000B002}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.643{312A7A06-3930-63C5-C201-00000000B002}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.594{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325BA266D7FDE5E77D3F4F37F3BD6E57,SHA256=A110A75F95D89B2424D6A8DC4289B491AADB90ABA83C2EA2ABBCD902DAF70D16,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:56.311{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:56.311{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F620C8871E44B7FC8D4E7CEFB8EE835,SHA256=D69741219F1A1FD730624E55F8343E6F4440DA748ACEB3C732C10E85B9B67085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.235{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9B56D54C9F7233C079D0BE5E7305002A,SHA256=2AFF5AE3516210DCD1AA57C8BFB1B6EA04AA5B8CA944EF4F0BBD8C989D7C7070,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.164{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3930-63C5-C101-00000000B002}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.164{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3930-63C5-C101-00000000B002}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.164{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3930-63C5-C101-00000000B002}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.163{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3930-63C5-C101-00000000B002}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.163{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3930-63C5-C101-00000000B002}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.163{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3930-63C5-C101-00000000B002}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3930-63C5-C101-00000000B002}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3930-63C5-C101-00000000B002}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.129{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3930-63C5-C101-00000000B002}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.130{312A7A06-3930-63C5-C101-00000000B002}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:52.587{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56859-false10.0.1.12-8000- 23542300x800000000000000013935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.774{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B56FCE6B51BCAA9D1DB7CAC7B2A4E0,SHA256=5891AC75EB16BE0A079B8C4DC7A44F5B9A80D6E3ABE5ACB13B5486E0CC052276,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:57.572{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 11:14:07.413 23542300x800000000000000031850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:57.572{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:57.416{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:57.416{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F174D431F1CBEEC6B455F07C2A5FFB14,SHA256=D3809662D4B5B365DDF0DFC3EFD675966CAFF1E91FF28BB14BC71BDF4B6FF1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.352{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BEE4902B03C3A78C81145296E936900,SHA256=BB4E2C8C6A6762B5631860AC8E4B6A62CA52354063AEDCD6689AAA2D85F9CC6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3931-63C5-C301-00000000B002}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3931-63C5-C301-00000000B002}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.321{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3931-63C5-C301-00000000B002}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:57.322{312A7A06-3931-63C5-C301-00000000B002}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.906{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE51E794FD3A85713526C02F320FF80,SHA256=C71EE8083BB98FBAF20DC0DE3E6BE9BF85421FC3EE699DE484087FC48EF71195,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.891{312A7A06-3932-63C5-C401-00000000B002}18921888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000031853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:58.539{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:58.539{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3823F57B45F56F8F41502DC9A956ED6,SHA256=FE998C3CF1F86B3F0724BE2EEF62AA16A649BFD59F49C4D005F5BF52B647B476,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3932-63C5-C401-00000000B002}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3932-63C5-C401-00000000B002}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.672{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3932-63C5-C401-00000000B002}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.673{312A7A06-3932-63C5-C401-00000000B002}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:58.144{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=10DE42C5928FE30390ABAD7D0BD2B299,SHA256=E76C4CA52139386A424079B858DB5F8329D89097332B23D3544BC3FD5675C00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000013966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.988{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710D01E6C270A42A47B17DADAB124A17,SHA256=0FDA0D2B08069F16B5BE765CF4B74A40FCA00A7D5E3E8A1C5A7BAFE039E3F27E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:59.619{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:59.619{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6DCCF728D13B6C7F52E22AB790113A,SHA256=E6406AE0438E17D06AB3F98FFE6C2AB3541DDFC126DE02FB1835ADCD39861838,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.691{312A7A06-3933-63C5-C501-00000000B002}9083572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3933-63C5-C501-00000000B002}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3933-63C5-C501-00000000B002}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.535{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3933-63C5-C501-00000000B002}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:59.536{312A7A06-3933-63C5-C501-00000000B002}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:56.030{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56860-false10.0.1.12-8089- 11241100x800000000000000031858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:00.695{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:00.695{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AAB9C44D4A10C05C65F2B0EAF1D609,SHA256=F00597107D73329141506378B490E72EEC0EB70B5ED991E662181EE428980978,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000013981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.403{312A7A06-3934-63C5-C601-00000000B002}10321556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3934-63C5-C601-00000000B002}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3934-63C5-C601-00000000B002}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.202{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3934-63C5-C601-00000000B002}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:00.203{312A7A06-3934-63C5-C601-00000000B002}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000013967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:46:56.609{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49983-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000031862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:01.779{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:01.779{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171F6B2693D08814AE6C5C809438A674,SHA256=6356CA1934B9FA0604272F7BBEF14DFCF5ED2D038960C1D91F48F1DE8A1C062F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.505{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3935-63C5-C701-00000000B002}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.505{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3935-63C5-C701-00000000B002}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.505{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3935-63C5-C701-00000000B002}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.505{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3935-63C5-C701-00000000B002}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.504{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3935-63C5-C701-00000000B002}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.504{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3935-63C5-C701-00000000B002}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000013995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3935-63C5-C701-00000000B002}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3935-63C5-C701-00000000B002}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.349{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3935-63C5-C701-00000000B002}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.350{312A7A06-3935-63C5-C701-00000000B002}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000013982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:01.084{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AB5686FECB74342D90ED5890E1E0E5,SHA256=92472C498C2800BC25E9CD5605F74B05CD1A85533CC41BD54F8AC5ED7810CCA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:58.238{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56862-false169.254.169.254-80http 354300x800000000000000031859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:46:57.721{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56861-false10.0.1.12-8000- 11241100x800000000000000031885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.824{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.824{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CBCFFA31F88413CA8C2E3DCC6D309C,SHA256=91234B2C6464C74FF682BC94953D5CC4B5B3D8BE4940B53C346BB4F0781F6479,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.785{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000014003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:02.659{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA7D3896A0894479EAEFE3381CCE24D4,SHA256=A9902FDEF2A9E894823D9E79B883C07FF7B3C6E2D60B8034A6DFFB36D2198D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:02.173{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E56B1D51B5B42521469D4266A42D80,SHA256=48FC7E433F55B72C2762668B846E08C76E0F83B658875709C034CAA9E6684CF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.775{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.351{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.339{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.324{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.321{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.319{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.287{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.281{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.267{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.256{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.199{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.191{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.173{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.156{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.120{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:02.117{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 11241100x800000000000000031887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:03.804{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:03.803{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648AEADB0590C8AACBAC363621895040,SHA256=4C938CD96609E41D2C7C8E9D0C3A6C37185531E8EE27F552B8510C531DBB709A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:03.256{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924E379FFB1750064855A72DBF2BEBB1,SHA256=47A6EE0CF6C70E35B0FDFD4576B624CBFEF5027823F6DF8106D95C6915068B22,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.865{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.865{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75FBDCA2386F2C2F3A63DE4B735A0F8,SHA256=EA9E1C94240B3DF1C4A4DE65EF66A3F1E121891ABA89AD51B8C3BD6DD82B2C0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.825{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.823{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.820{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.818{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000014005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:04.359{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E11A58A18C5509D5BEB308C38F8CF7,SHA256=68E97F9FE97FF3A8183D185367E27E37548F2BB6D8BD624EDF656EEC698B865F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.816{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.810{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.520{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.520{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.520{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:04.507{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:05.464{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919D1B41D4E38D771EE8F26B922FAB20,SHA256=50D5C4CDF7FCE5A09045BC860938EE6F720DCD16537C24EEA6B9C5A9FECFE27E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.452{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.452{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.451{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.450{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.449{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.426{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.418{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.402{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.370{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.362{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.354{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.346{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.343{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.340{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.339{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.336{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.333{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.332{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.331{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.330{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000031900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:05.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000014008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:06.553{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60FE4F31D986FA8D714E0B8B88BAE0B,SHA256=AAD2BE13A32DAEC9BA614FF3B05384EF1B34072F24DC89E0A434C71A078E3088,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:06.338{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:06.338{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41144F5EEDEC2FD495DF0CF3A183F2A,SHA256=EC3B65D5512DB23087066BC561BC6ABD82D0E523AAAE131C3FFD313B8A9367AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:02.402{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49984-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:07.654{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F20631847B23B58902FB15DBC151C2,SHA256=53278D912B9CD2242EDC1003D42F1CB56EF7B3C18B76A2DC967AEC0A8DD220CC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:07.890{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d929a0-0x42f39f90) 354300x800000000000000031926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:03.543{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56863-false10.0.1.12-8000- 11241100x800000000000000031925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:07.375{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:07.375{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA1B39395AB5D8084975CA3071F9DF4,SHA256=61F88D45C01DA0449C2C417DC79A5A6CF3308B969FB1A7A717152E627BD0B18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:08.739{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFCD5E6882FB0BC5FDCCD1508889342,SHA256=0B3F2BF2AFD6AA6F62A9816B15E5546FD2AD1A4826570B790521DC03A2B02B6B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:08.465{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:08.465{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C62295C4CB8D78C554DB1A84118F22,SHA256=F1D660C1215803538BDDA243384B0E66B76DB0553AE1FEA8ABC37FC4B135A012,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:09.999{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:09.972{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:09.968{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:09.961{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:09.954{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:09.945{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:09.931{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:09.924{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 23542300x800000000000000014011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:09.822{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D101A9CBBA4E3CCED07728B435ADCDF0,SHA256=578847E37FC28E515596499CB81F6FC5651E0E9A046F79FC64367ABF71A192AF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:09.554{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:09.554{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DA9036B392C61370FBBBEBBD4CF2F5,SHA256=AE66C8C4569394C33931C02E4647924A9574F3BA73513B6CB4BCB405D018671E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:06.285{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local123ntpfalse168.61.215.74-123ntp 11241100x800000000000000031934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:10.650{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:10.650{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932DD821A673E6BAC7BDFD6351D09668,SHA256=B08AB4137F02496D156110C2CBBF93CD11F0BFE44C96C4ADE9540E98C49E9320,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.106{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.105{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.103{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.102{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.099{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.097{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.097{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.096{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.095{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.094{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.093{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.091{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.088{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.082{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.080{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.075{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.061{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.044{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.043{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.035{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.028{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.019{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000014020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:10.010{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 11241100x800000000000000031937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:11.736{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:11.736{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B606C88E329C34CDF1BDC45C9C2C0169,SHA256=DBEF3B8CFCF19ADCB998E415A06762A3F077197F77972221E8BDD01306E0CC60,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:07.412{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49985-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:11.084{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FAC17E1ED8DADADA3E4F8738B80B9B,SHA256=C91CDCBC6C177F9E5FF39192E4C5C037FF810D31CF3081C8CB16A141D99AB694,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:08.575{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56864-false10.0.1.12-8000- 11241100x800000000000000031941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:12.927{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 11:11:01.844 23542300x800000000000000031940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:12.927{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44997C3FFBBDEF2B3E44C41A5D1417FD,SHA256=2F608E7374B4D5057F2F234E3A11E2A1BD2B6A12858FE5DEA949A5446AA6ECD9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:12.818{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:12.818{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E94AC6D72E377F902A5BF81DA35659,SHA256=3A0EB1DA5AEDA7C62A7AE0FE8C3E8D8E5DD7D25E122527395EC075C004320205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:12.094{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F506DBA6FA330EE91040630593DEAF,SHA256=017469BAACC92F638E7C15B3C92566B36339F3D79F0CE246B8D96604BEB933D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:13.910{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:13.910{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E621AA873D46AD946C88655FA0BB51,SHA256=6DEC97D76CAA4A2F745728EE6C150492B4B43640368CF5CF7F3E18DB2CA34F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:13.188{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0469E5D32B058E8207F23DB9C2C02E4A,SHA256=DC22AC85AE755656982133BA58F75D67F5774BDF587827CAE5A02090C0AA5F36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:10.350{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56865-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000031942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:10.350{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local56865-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 11241100x800000000000000031947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:14.980{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:14.980{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8646D2D93B34D577245E76B3A55C364,SHA256=A054BB5018F83865348DF03573E8001D49901A8C102173D86684082E63CCE5AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:14.277{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9911B8601B3D9AABAC7758ACF4406EA,SHA256=FD76A6F2F8CAF62868C29CFE7C09B222820B25CA41CBA7E9F53E04B52F699FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:15.371{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1CBBAAB19D2C6E8FC0DE400939832A,SHA256=3C6136A778B1F6E36008CD71E534846CFEA1FF52FD9F8DBBF01E3FB5DE42C1AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:12.602{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49986-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:16.462{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EA0E25F59B9FCB6E3256519816C763,SHA256=0D8FF3C5E28714CB0DB5E675F2FF12B7253B2062CFC658C626E33F664671AFB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:13.714{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56866-false10.0.1.12-8000- 11241100x800000000000000031949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:16.065{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:16.065{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE3DB18EEB2E03E763F1DBC0C4C845E,SHA256=D12BA0382693850482DD6547F148D5C1348876275019A952647C1C74A4250A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:17.545{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF271C6F9F4AD19391046AD3C75ED7D,SHA256=EB5E96BD0330F37729A7E6DFE3A8AE5E0DA511FF4DC8E0C5971EAE6B66BCD1F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:17.140{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:17.140{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E5D7EE9C09125418C9FC660EA74CFD,SHA256=62B908F24E646FA4247F351AAFA74D4FFDC814CBAE906C2C14FD14541681A01B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:18.928{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:18.631{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F168400CED28E3BBB9E3EDFA58A8C2E2,SHA256=9D7ACA6467591F8C4B6443F22B4E78B32D497F8B705F103F194CBB56CE71D026,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:18.229{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:18.229{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0794455415911C8672781E7675D90E1,SHA256=A0AC5D90C369BEA8148A7D6DC2B14E36D42E515758A8BE90699373E65EA87BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:19.732{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B129D60EE1377F7B1367D33FD0517F,SHA256=87D4F2413CE3FC05FB8BF3775F703F331F04366456678280437C0E5C2B84A71B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:19.341{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:19.341{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9849795F4883E7269BCE3402DE19647D,SHA256=3D8994B538CC34559CE4B203E0935D0C5DECABA5660350FB1F4A498E17AA6A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:20.802{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2755471CBE995513CB360E58C2BC1513,SHA256=75D76D9C3F66D8703E6BF57B773D62C321F0FB1C43241AC53C3A0DC73A99590A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:17.285{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49987-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x800000000000000031958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:20.413{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:20.413{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC8C198B7198BD27E87C6A3B41614BE,SHA256=3CC5EBAFE3ECB5EB1EDDD1D139D75B00534F8AE6FC373C595D8B289098A5293B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:21.899{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A30C39868EA6D5744AC6172FA430950,SHA256=F066D4173F667EFC939D6C1C09CFE2D60B564C4F449D0C6168F1D3DDA2B7D98D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:18.565{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49988-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000031961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:21.500{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:21.500{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E3BCCC9B650CBC239F76B4C2E98BD9,SHA256=9ED7718F5130E28CEFD1863E36463AD7EECF15801C38A8DB63A6B7E60F5C342F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000031959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:21.110{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-16 11:47:21.110 23542300x800000000000000014059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:22.895{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73AFA94C67ECD44F60E51937BAF405F,SHA256=EC50C98A24C8E764DF9203184353115018C34F47A7FB62599FD58D9F21B7DA1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.612{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.608{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 11241100x800000000000000031982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.553{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000031981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.553{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5D50FA94F074A0ECD6BA7BC0BBB27B,SHA256=8F9265C67A116AA6E62D11AF0F0C42C2973DBF90246808D5657A7B67259AB099,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.305{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.288{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.256{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.251{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.240{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.234{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.230{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.203{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.195{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.185{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.179{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.151{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.108{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000031962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:22.107{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 23542300x800000000000000014061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:23.988{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC9B7EB9C35F0462491194985362B7F,SHA256=53C7321CD27E73E5B690A0CC63F8DF10B12A9A550B4E097374E836574313E9A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.999{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 11241100x800000000000000032209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.994{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 11:10:32.859 23542300x800000000000000032208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.992{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C16AB8903EC21745AE0C5A27EAF70588,SHA256=E7A683058D273E47CD58B81DC2C2DAF0E149D59CC4953F6CF7EE5976337872D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.916{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\cHpfiXA9s.README.txt2023-01-16 11:47:23.916 11241100x800000000000000032206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.914{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\cHpfiXA9s.README.txt2023-01-16 11:47:23.914 10341000x800000000000000032205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.900{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.900{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.900{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.897{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.897{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.897{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 11241100x800000000000000032199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.896{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\cHpfiXA9s.README.txt2023-01-16 11:47:23.895 11241100x800000000000000032198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.895{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.894{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431F1C530C58B8602A01FF895B2C46A1,SHA256=9A3A4496E506AFE45939542797FEE58F5026003FD2B199BD1DD365B96B6F3F69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:19.598{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56867-false10.0.1.12-8000- 11241100x800000000000000032195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.867{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\cHpfiXA9s.README.txt2023-01-16 11:47:23.867 11241100x800000000000000032194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.851{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.851{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE739CA51F7A519239AA447B8F7CC27B,SHA256=2903797E9CF06A0D4969257C7784FA6D33041E3285347B4AF011C98E6D908BC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.851{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.851{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2BEB2B1EB35A7C61E0DCD3C5A783FB,SHA256=0E06CCFFBB681114F02F953C93E3601FA67AB9D8803CD24439A1E89B8CC15A91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.836{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\cHpfiXA9s.README.txt2023-01-16 11:47:23.836 11241100x800000000000000032189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.836{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\cHpfiXA9s.README.txt2023-01-16 11:47:23.836 11241100x800000000000000032188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.836{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\cHpfiXA9s.README.txt2023-01-16 11:47:23.836 11241100x800000000000000032187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.836{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:23.821 11241100x800000000000000032186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:23.821 11241100x800000000000000032185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:23.821 11241100x800000000000000032184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.821 11241100x800000000000000032183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:23.821 11241100x800000000000000032182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:23.821 11241100x800000000000000032181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:23.821 11241100x800000000000000032180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:23.821 11241100x800000000000000032179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.821 11241100x800000000000000032178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:23.821 23542300x800000000000000014060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:23.243{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-024MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.805{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:23.805 11241100x800000000000000032176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.805{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:23.805 11241100x800000000000000032175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.805{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:23.805 11241100x800000000000000032174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.805{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.805 11241100x800000000000000032173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.805{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:23.805 11241100x800000000000000032172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.805{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:23.805 11241100x800000000000000032171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.805{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\cHpfiXA9s.README.txt2023-01-16 11:47:23.805 11241100x800000000000000032170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.805{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:23.805 11241100x800000000000000032169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.805{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:23.805 11241100x800000000000000032168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.805{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.805 11241100x800000000000000032167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.805{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:23.805 11241100x800000000000000032166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.789{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:23.789 11241100x800000000000000032165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.789{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:23.789 11241100x800000000000000032164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.789{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:23.789 11241100x800000000000000032163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.789{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.789 11241100x800000000000000032162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:23.773 11241100x800000000000000032161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:23.773 11241100x800000000000000032160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:23.773 11241100x800000000000000032159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:23.773 11241100x800000000000000032158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.773 11241100x800000000000000032157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:23.773 11241100x800000000000000032156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:23.773 11241100x800000000000000032155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:23.773 11241100x800000000000000032154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:23.773 11241100x800000000000000032153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.773 11241100x800000000000000032152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:23.773 11241100x800000000000000032151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.773{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:23.758 11241100x800000000000000032138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.758{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:23.742 11241100x800000000000000032137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:23.742 11241100x800000000000000032136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:23.742 11241100x800000000000000032135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.742 11241100x800000000000000032134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:23.742 11241100x800000000000000032133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:23.742 11241100x800000000000000032132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:23.742 11241100x800000000000000032131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.742 11241100x800000000000000032130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:23.742 11241100x800000000000000032129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:23.742 11241100x800000000000000032128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:23.742 11241100x800000000000000032127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.726{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:23.726 11241100x800000000000000032126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.726{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.726 11241100x800000000000000032125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.726{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:23.726 11241100x800000000000000032124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.726{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:23.726 11241100x800000000000000032123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.726{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\cHpfiXA9s.README.txt2023-01-16 11:47:23.726 11241100x800000000000000032122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.726{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:23.726 11241100x800000000000000032121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.695{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\TileDataLayer\Database\cHpfiXA9s.README.txt2023-01-16 11:47:23.695 11241100x800000000000000032120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.695{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\TileDataLayer\cHpfiXA9s.README.txt2023-01-16 11:47:23.695 11241100x800000000000000032119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.695{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\cHpfiXA9s.README.txt2023-01-16 11:47:23.695 11241100x800000000000000032118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.695{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\LocalLow\cHpfiXA9s.README.txt2023-01-16 11:47:23.695 11241100x800000000000000032117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.680{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Roaming\Adobe\Flash Player\NativeCache\cHpfiXA9s.README.txt2023-01-16 11:47:23.680 11241100x800000000000000032116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.680{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Roaming\Adobe\Flash Player\cHpfiXA9s.README.txt2023-01-16 11:47:23.680 11241100x800000000000000032115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.680{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Roaming\Adobe\cHpfiXA9s.README.txt2023-01-16 11:47:23.680 11241100x800000000000000032114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.680{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Roaming\cHpfiXA9s.README.txt2023-01-16 11:47:23.680 11241100x800000000000000032113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.680{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:23.680 11241100x800000000000000032112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.680{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Contacts\cHpfiXA9s.README.txt2023-01-16 11:47:23.680 11241100x800000000000000032111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.664{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Desktop\cHpfiXA9s.README.txt2023-01-16 11:47:23.664 11241100x800000000000000032110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.664{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Documents\cHpfiXA9s.README.txt2023-01-16 11:47:23.664 11241100x800000000000000032109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.664{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Downloads\cHpfiXA9s.README.txt2023-01-16 11:47:23.664 11241100x800000000000000032108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.664{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Favorites\Links\cHpfiXA9s.README.txt2023-01-16 11:47:23.664 11241100x800000000000000032107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.664{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Favorites\cHpfiXA9s.README.txt2023-01-16 11:47:23.664 11241100x800000000000000032106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.654{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Links\cHpfiXA9s.README.txt2023-01-16 11:47:23.654 11241100x800000000000000032105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.654{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Music\cHpfiXA9s.README.txt2023-01-16 11:47:23.654 11241100x800000000000000032104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.654{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Pictures\cHpfiXA9s.README.txt2023-01-16 11:47:23.654 11241100x800000000000000032103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.654{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Saved Games\cHpfiXA9s.README.txt2023-01-16 11:47:23.654 11241100x800000000000000032102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.654{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Searches\cHpfiXA9s.README.txt2023-01-16 11:47:23.654 11241100x800000000000000032101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.654{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\Videos\cHpfiXA9s.README.txt2023-01-16 11:47:23.654 13241300x800000000000000032100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.654{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000604BA\VirtualDesktopBinary Data 11241100x800000000000000032099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.639{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\cHpfiXA9s.README.txt2023-01-16 11:47:23.639 11241100x800000000000000032098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.639{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Public\AccountPictures\cHpfiXA9s.README.txt2023-01-16 11:47:23.639 23542300x800000000000000032097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.639{FCCA13C7-394B-63C5-A305-00000000AF02}3676ATTACKRANGE\AdministratorC:\Temp\ConfirmEmail.exeC:\$Recycle.Bin\S-1-5-21-489063788-1047142772-617343651-500\ZZZZZZZZZZZMD5=0B6878F6BBD64FEEDD6DAB27FE6A23E4,SHA256=98FE051D7275E150588B9D8F865A6B8C93B0FBD1D10C3D5E4E5CD20A77DB5865,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.639{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Public\Desktop\cHpfiXA9s.README.txt2023-01-16 11:47:23.639 11241100x800000000000000032095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.639{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Public\Documents\cHpfiXA9s.README.txt2023-01-16 11:47:23.639 11241100x800000000000000032094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.639{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Public\Downloads\cHpfiXA9s.README.txt2023-01-16 11:47:23.639 11241100x800000000000000032093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.621{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Public\Libraries\cHpfiXA9s.README.txt2023-01-16 11:47:23.621 11241100x800000000000000032092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.621{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Public\Music\cHpfiXA9s.README.txt2023-01-16 11:47:23.621 11241100x800000000000000032091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.621{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Public\Pictures\cHpfiXA9s.README.txt2023-01-16 11:47:23.621 11241100x800000000000000032090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.621{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Public\Videos\cHpfiXA9s.README.txt2023-01-16 11:47:23.621 11241100x800000000000000032089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.606{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Public\cHpfiXA9s.README.txt2023-01-16 11:47:23.606 11241100x800000000000000032088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.606{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\cHpfiXA9s.README.txt2023-01-16 11:47:23.606 10341000x800000000000000032087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.606{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.606{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.606{FCCA13C7-30EC-63C5-0B00-00000000AF02}628668C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x800000000000000032084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.590{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000604BA 23542300x800000000000000032083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.590{FCCA13C7-394B-63C5-A305-00000000AF02}3676ATTACKRANGE\AdministratorC:\Temp\ConfirmEmail.exeC:\$Recycle.Bin\S-1-5-21-489063788-1047142772-617343651-500\desktop.iniMD5=5F54D1240735D46980B776AF554F44D3,SHA256=2C80619D7E7C58257293CDA3A878C13E5856F4E06F6F90601276F7B9179C9E07,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000032082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.590{FCCA13C7-394B-63C5-A305-00000000AF02}3676ATTACKRANGE\AdministratorC:\Temp\ConfirmEmail.exeC:\$Recycle.Bin\S-1-5-21-489063788-1047142772-617343651-500\desktop.iniMD5=5F54D1240735D46980B776AF554F44D3,SHA256=2C80619D7E7C58257293CDA3A878C13E5856F4E06F6F90601276F7B9179C9E07,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000032081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.590{FCCA13C7-394B-63C5-A305-00000000AF02}3676ATTACKRANGE\AdministratorC:\Temp\ConfirmEmail.exeC:\$Recycle.Bin\S-1-5-21-489063788-1047142772-617343651-500\desktop.iniMD5=A526B9E7C716B3489D8CC062FBCE4005,SHA256=E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.590{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\cHpfiXA9s.README.txt2023-01-16 11:47:23.590 11241100x800000000000000032079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.590{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Sysmon\A526B9E7C716B3489D8CC062FBCE4005E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD2306600000000000000000000000000000000.ini2023-01-16 11:47:23.590 10341000x800000000000000032078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.574{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.574{FCCA13C7-394B-63C5-A305-00000000AF02}36761856C:\Temp\ConfirmEmail.exe{FCCA13C7-3816-63C5-7905-00000000AF02}5168C:\Program Files\Notepad++\notepad++.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Temp\ConfirmEmail.exe+7f19|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 12241200x800000000000000032076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS 12241200x800000000000000032075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\VssAccessControl 12241200x800000000000000032074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Settings 12241200x800000000000000032073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Settings\WritersBlockingRevert 12241200x800000000000000032072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Providers 12241200x800000000000000032071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Providers\{b5946137-7b9f-4925-af80-51abd60b20d5} 12241200x800000000000000032070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Providers\{b5946137-7b9f-4925-af80-51abd60b20d5}\CLSID 12241200x800000000000000032069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Providers\{89300202-3cec-4981-9171-19f59559e0f2} 12241200x800000000000000032068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Providers\{89300202-3cec-4981-9171-19f59559e0f2}\CLSID 12241200x800000000000000032067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Diag 12241200x800000000000000032066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Diag\WMI Writer 12241200x800000000000000032065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap 12241200x800000000000000032064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Diag\System Writer 12241200x800000000000000032063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Diag\NTDS 12241200x800000000000000032062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\Diag\DFS Replication service writer 13241300x800000000000000032061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\StartDWORD (0x00000004) 13241300x800000000000000032060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\DeleteFlagDWORD (0x00000001) 12241200x800000000000000032059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicvss 12241200x800000000000000032058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicvss\TriggerInfo 12241200x800000000000000032057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicvss\TriggerInfo\0 12241200x800000000000000032056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicvss\Parameters 13241300x800000000000000032055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicvss\StartDWORD (0x00000004) 13241300x800000000000000032054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicvss\DeleteFlagDWORD (0x00000001) 13241300x800000000000000032053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sppsvc\StartDWORD (0x00000004) 13241300x800000000000000032052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.574{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sppsvc\DeleteFlagDWORD (0x00000001) 10341000x800000000000000032051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.559{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.543{FCCA13C7-394B-63C5-A305-00000000AF02}36766568C:\Temp\ConfirmEmail.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Temp\ConfirmEmail.exe+98f5|C:\Temp\ConfirmEmail.exe+8fee|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000032049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.543{FCCA13C7-30EC-63C5-0A00-00000000AF02}6201940C:\Windows\system32\services.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.543{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.543{FCCA13C7-30EC-63C5-0A00-00000000AF02}620708C:\Windows\system32\services.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.546{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000032041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.543{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.528{FCCA13C7-394B-63C5-A305-00000000AF02}36766568C:\Temp\ConfirmEmail.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Temp\ConfirmEmail.exe+98f5|C:\Temp\ConfirmEmail.exe+8fae|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000032037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.528{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 10341000x800000000000000032036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-394B-63C5-A305-00000000AF02}36762100C:\Temp\ConfirmEmail.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Temp\ConfirmEmail.exe+c626|C:\Temp\ConfirmEmail.exe+9af3|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000032035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-394B-63C5-A305-00000000AF02}36762100C:\Temp\ConfirmEmail.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Temp\ConfirmEmail.exe+c626|C:\Temp\ConfirmEmail.exe+9af3|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000032034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-394B-63C5-A305-00000000AF02}36762100C:\Temp\ConfirmEmail.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Temp\ConfirmEmail.exe+c626|C:\Temp\ConfirmEmail.exe+9af3|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000032033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-394B-63C5-A305-00000000AF02}36762100C:\Temp\ConfirmEmail.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Temp\ConfirmEmail.exe+c626|C:\Temp\ConfirmEmail.exe+9af3|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000032032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.496{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\GlobalAssocChangedCounterDWORD (0x00000001) 10341000x800000000000000032031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-30EE-63C5-1600-00000000AF02}12921824C:\Windows\system32\svchost.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-394B-63C5-A305-00000000AF02}36762100C:\Temp\ConfirmEmail.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\shell32.dll+130450(wow64)|C:\Windows\System32\shell32.dll+19361f(wow64)|C:\Temp\ConfirmEmail.exe+c626|C:\Temp\ConfirmEmail.exe+9af3|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000032028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-394B-63C5-A305-00000000AF02}36762100C:\Temp\ConfirmEmail.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+130442(wow64)|C:\Windows\System32\shell32.dll+19361f(wow64)|C:\Temp\ConfirmEmail.exe+c626|C:\Temp\ConfirmEmail.exe+9af3|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000032027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-394B-63C5-A305-00000000AF02}36762100C:\Temp\ConfirmEmail.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+130442(wow64)|C:\Windows\System32\shell32.dll+19361f(wow64)|C:\Temp\ConfirmEmail.exe+c626|C:\Temp\ConfirmEmail.exe+9af3|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000032026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.496{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKCR\cHpfiXA9s\DefaultIcon\(Default)C:\ProgramData\cHpfiXA9s.ico 13241300x800000000000000032025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.496{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKCR\.cHpfiXA9s\(Default)cHpfiXA9s 11241100x800000000000000032024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\cHpfiXA9s.ico2023-01-16 11:47:23.496 10341000x800000000000000032023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.496{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.481{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.481{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.481{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.481{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.481{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.481{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.481{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.481{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.481{FCCA13C7-394B-63C5-A305-00000000AF02}36762100C:\Temp\ConfirmEmail.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Temp\ConfirmEmail.exe+98f5|C:\Temp\ConfirmEmail.exe+b3b3|C:\Temp\ConfirmEmail.exe+9a29|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000032012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.465{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-394B-63C5-A405-00000000AF02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.465{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.465{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.465{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.465{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.465{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-394B-63C5-A405-00000000AF02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.465{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-394B-63C5-A405-00000000AF02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.466{FCCA13C7-394B-63C5-A405-00000000AF02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.277{FCCA13C7-30EC-63C5-0B00-00000000AF02}628668C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.277{FCCA13C7-30EC-63C5-0B00-00000000AF02}628668C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000032002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.199{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{223995FA-DC5A-4A3D-B3AE-20B18FD7A218}\LaunchCountDWORD (0x00000001) 13241300x800000000000000032001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.199{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{223995FA-DC5A-4A3D-B3AE-20B18FD7A218}\LastAccessedTimeQWORD (0x01d929a0-0x4c112b00) 13241300x800000000000000032000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.184{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{223995FA-DC5A-4A3D-B3AE-20B18FD7A218}\LaunchCountDWORD (0x00000001) 13241300x800000000000000031999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.184{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{223995FA-DC5A-4A3D-B3AE-20B18FD7A218}\AppIdC:\Temp\ConfirmEmail.exe 13241300x800000000000000031998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.184{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{223995FA-DC5A-4A3D-B3AE-20B18FD7A218}\LastAccessedTimeQWORD (0x01d929a0-0x4c112b00) 13241300x800000000000000031997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.184{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.184{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Grzc\PbasvezRznvy.rkrBinary Data 10341000x800000000000000031995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.184{FCCA13C7-30ED-63C5-1300-00000000AF02}10001344C:\Windows\System32\svchost.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000031994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:23.184{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\ConfirmEmail.exeBinary Data 10341000x800000000000000031993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.184{FCCA13C7-30ED-63C5-1300-00000000AF02}10001148C:\Windows\System32\svchost.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.184{FCCA13C7-30ED-63C5-1300-00000000AF02}10001148C:\Windows\System32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.168{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.168{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.168{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.168{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.168{FCCA13C7-3383-63C5-8701-00000000AF02}33724520C:\Windows\system32\csrss.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.168{FCCA13C7-3387-63C5-9D01-00000000AF02}12842424C:\Windows\Explorer.EXE{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+177a30|C:\Windows\System32\SHELL32.dll+177683|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.174{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe-----"C:\Temp\ConfirmEmail.exe" C:\Temp\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=75256873A03F4A4BC073185F48C1097C,SHA256=068CA3E92C65EB907B5A34BE16580E267EFBBDE6F9129CA30AD80C948A1D3FFD,IMPHASH=41FB8CB2943DF6DE998B35A9D28668E8{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 10341000x800000000000000032437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.966{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.966{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.966{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.964{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.964{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.964{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 354300x800000000000000032431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:21.962{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local57396- 354300x800000000000000032430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:21.755{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56868-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 354300x800000000000000032429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:21.754{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local56868-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 13241300x800000000000000032428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:24.812{FCCA13C7-3386-63C5-9201-00000000AF02}2980C:\Windows\system32\sihost.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PlmVolatile\TerminationType\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy!AppDWORD (0x00000004) 10341000x800000000000000032427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.796{FCCA13C7-30ED-63C5-0D00-00000000AF02}9085688C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.796{FCCA13C7-30ED-63C5-0D00-00000000AF02}9085688C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.796{FCCA13C7-30ED-63C5-0D00-00000000AF02}9085688C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.796{FCCA13C7-30ED-63C5-0D00-00000000AF02}9085688C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.796{FCCA13C7-30ED-63C5-0D00-00000000AF02}9085688C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.796{FCCA13C7-30ED-63C5-0D00-00000000AF02}9085688C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.796{FCCA13C7-30ED-63C5-0D00-00000000AF02}9085688C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.796{FCCA13C7-30ED-63C5-0D00-00000000AF02}9085688C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.796{FCCA13C7-30ED-63C5-0D00-00000000AF02}9085688C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x800000000000000032418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:24.796{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000032417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:24.796{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000032416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:24.796{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000032415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:24.796{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000032414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:24.796{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000032413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:24.796{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000032412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.796{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+36033d|C:\Windows\System32\sechost.dll+147fd|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.781{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\TileDataLayer\Database\EDB.chk2023-01-16 10:36:29.104 10341000x800000000000000032410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.734{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000032409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:24.734{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000032408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:24.734{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000032407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:24.734{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000032406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:24.734{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000032405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:24.734{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000032404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.718{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\TileDataLayer\Database\cHpfiXA9s.README.txt2023-01-16 11:47:24.718 11241100x800000000000000032403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.718{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\TileDataLayer\cHpfiXA9s.README.txt2023-01-16 11:47:24.718 11241100x800000000000000032402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.718{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\cHpfiXA9s.README.txt2023-01-16 11:47:24.718 11241100x800000000000000032401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.718{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\LocalLow\cHpfiXA9s.README.txt2023-01-16 11:47:24.718 11241100x800000000000000032400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.718{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Roaming\Adobe\Flash Player\NativeCache\cHpfiXA9s.README.txt2023-01-16 11:47:24.718 11241100x800000000000000032399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.718{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Roaming\Adobe\Flash Player\cHpfiXA9s.README.txt2023-01-16 11:47:24.718 11241100x800000000000000032398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.718{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Roaming\Adobe\cHpfiXA9s.README.txt2023-01-16 11:47:24.718 11241100x800000000000000032397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.718{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\cHpfiXA9s.README.txt2023-01-16 11:47:24.718 11241100x800000000000000032396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.703{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Roaming\Notepad++\plugins\config\cHpfiXA9s.README.txt2023-01-16 11:47:24.703 11241100x800000000000000032395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.703{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Roaming\Notepad++\plugins\cHpfiXA9s.README.txt2023-01-16 11:47:24.703 11241100x800000000000000032394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.703{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Roaming\Notepad++\themes\cHpfiXA9s.README.txt2023-01-16 11:47:24.703 11241100x800000000000000032393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.703{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Roaming\Notepad++\userDefineLangs\cHpfiXA9s.README.txt2023-01-16 11:47:24.703 11241100x800000000000000032392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.687{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Roaming\Notepad++\cHpfiXA9s.README.txt2023-01-16 11:47:24.687 11241100x800000000000000032391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.687{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Roaming\cHpfiXA9s.README.txt2023-01-16 11:47:24.687 11241100x800000000000000032390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.687{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.687 11241100x800000000000000032389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.687{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Contacts\cHpfiXA9s.README.txt2023-01-16 11:47:24.687 11241100x800000000000000032388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.677{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Desktop\cHpfiXA9s.README.txt2023-01-16 11:47:24.677 11241100x800000000000000032387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.677{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Documents\WindowsPowerShell\cHpfiXA9s.README.txt2023-01-16 11:47:24.677 11241100x800000000000000032386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.677{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Documents\cHpfiXA9s.README.txt2023-01-16 11:47:24.677 11241100x800000000000000032385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.677{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Downloads\cHpfiXA9s.README.txt2023-01-16 11:47:24.677 11241100x800000000000000032384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.677{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Favorites\Links\cHpfiXA9s.README.txt2023-01-16 11:47:24.677 11241100x800000000000000032383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.677{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.677{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B31D45BC4D39406764AE9DCDE50C89,SHA256=C7A547F31FB9F104AD23AD2D6D9F4B9CAAE3A8A143772215FB0CBE8EF149E1AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.677{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Favorites\cHpfiXA9s.README.txt2023-01-16 11:47:24.677 11241100x800000000000000032380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Links\cHpfiXA9s.README.txt2023-01-16 11:47:24.662 11241100x800000000000000032379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Music\cHpfiXA9s.README.txt2023-01-16 11:47:24.662 11241100x800000000000000032378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Pictures\cHpfiXA9s.README.txt2023-01-16 11:47:24.662 11241100x800000000000000032377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Saved Games\cHpfiXA9s.README.txt2023-01-16 11:47:24.662 11241100x800000000000000032376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Searches\cHpfiXA9s.README.txt2023-01-16 11:47:24.662 11241100x800000000000000032375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\Videos\cHpfiXA9s.README.txt2023-01-16 11:47:24.662 12241200x800000000000000032374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000032373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000032372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000032371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000032370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000032369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:24.662{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000032368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.657{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.656{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.653{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.651{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.650{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.645{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 13241300x800000000000000032362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:24.645{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000032361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:24.645{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000032360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:24.629{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000032359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:24.629{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000032358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:24.629{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000032357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.629{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\cHpfiXA9s.README.txt2023-01-16 11:47:24.629 11241100x800000000000000032356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.629{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\AWSToolkit\cHpfiXA9s.README.txt2023-01-16 11:47:24.629 11241100x800000000000000032355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.629{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Comms\Unistore\data\cHpfiXA9s.README.txt2023-01-16 11:47:24.629 11241100x800000000000000032354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.629{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Comms\Unistore\cHpfiXA9s.README.txt2023-01-16 11:47:24.629 10341000x800000000000000032353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.598{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-394C-63C5-A805-00000000AF02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.598{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.598{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.598{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.598{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.598{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-394C-63C5-A805-00000000AF02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.598{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-394C-63C5-A805-00000000AF02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.600{FCCA13C7-394C-63C5-A805-00000000AF02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:24.256{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.551{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Comms\UnistoreDB\cHpfiXA9s.README.txt2023-01-16 11:47:24.551 11241100x800000000000000032344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.551{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Comms\cHpfiXA9s.README.txt2023-01-16 11:47:24.551 11241100x800000000000000032343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.551{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 11:11:01.844 23542300x800000000000000032342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.551{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55A8F945EABCCD94948BF956B1AB68DD,SHA256=951E61E824C37656694FE2281A87358E3611046D0962837AF4B273E134318D52,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.495{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\ConnectedDevicesPlatform\cHpfiXA9s.README.txt2023-01-16 11:47:24.495 11241100x800000000000000032340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.495{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\cHpfiXA9s.README.txt2023-01-16 11:47:24.495 11241100x800000000000000032339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.495{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\cHpfiXA9s.README.txt2023-01-16 11:47:24.495 11241100x800000000000000032338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.495{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Feeds\cHpfiXA9s.README.txt2023-01-16 11:47:24.495 11241100x800000000000000032337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.495{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\InstallAgent\Checkpoints\cHpfiXA9s.README.txt2023-01-16 11:47:24.495 11241100x800000000000000032336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.495{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\InstallAgent\cHpfiXA9s.README.txt2023-01-16 11:47:24.495 11241100x800000000000000032335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.495{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Internet Explorer\IECompatData\cHpfiXA9s.README.txt2023-01-16 11:47:24.495 11241100x800000000000000032334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.479{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Internet Explorer\imagestore\2p6opy5\cHpfiXA9s.README.txt2023-01-16 11:47:24.479 11241100x800000000000000032333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.479{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Internet Explorer\imagestore\cHpfiXA9s.README.txt2023-01-16 11:47:24.479 11241100x800000000000000032332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.479{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Internet Explorer\TabRoaming\cHpfiXA9s.README.txt2023-01-16 11:47:24.479 11241100x800000000000000032331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.479{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Internet Explorer\Tracking Protection\cHpfiXA9s.README.txt2023-01-16 11:47:24.479 11241100x800000000000000032330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.462{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Internet Explorer\cHpfiXA9s.README.txt2023-01-16 11:47:24.462 23542300x800000000000000032329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.462{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=27DC9A926208132C6FE3E4538882E6C2,SHA256=11F6294C19CD4BE767C33FCA391E892F19F52C6B5AB9F9EEFA9238D90059715D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.431{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00040D1C\cHpfiXA9s.README.txt2023-01-16 11:47:24.431 11241100x800000000000000032327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.400{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00044FE1\cHpfiXA9s.README.txt2023-01-16 11:47:24.400 11241100x800000000000000032326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.368{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0004CFDF\cHpfiXA9s.README.txt2023-01-16 11:47:24.368 11241100x800000000000000032325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.327{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0015846C\cHpfiXA9s.README.txt2023-01-16 11:47:24.327 11241100x800000000000000032324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.286{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0026B51E\cHpfiXA9s.README.txt2023-01-16 11:47:24.286 11241100x800000000000000032323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.272{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-16 11:10:38.139 23542300x800000000000000032322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.272{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=91A627260AC8FC871D72010458C280D7,SHA256=F1138BAE906FB80D3A5F10E7B7ACEB142C6EDE800D74CD2AC414AF1776A13632,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.245{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\002AC538\cHpfiXA9s.README.txt2023-01-16 11:47:24.245 11241100x800000000000000032320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.244{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:24.243 11241100x800000000000000032319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.242{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\cHpfiXA9s.README.txt2023-01-16 11:47:24.242 11241100x800000000000000032318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.242{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Media Player\cHpfiXA9s.README.txt2023-01-16 11:47:24.242 11241100x800000000000000032317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.236{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\PenWorkspace\cHpfiXA9s.README.txt2023-01-16 11:47:24.236 11241100x800000000000000032316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.235{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\PlayReady\Internet Explorer\Desktop\cHpfiXA9s.README.txt2023-01-16 11:47:24.235 11241100x800000000000000032315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.235{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.234{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2954DD2CEA615825B7D01E4A1A949DE4,SHA256=E82CDA7A642F2FAADABC1A7E22DB07766538E174408A3A77D04845C902919D5A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.234{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\PlayReady\Internet Explorer\InPrivate\Desktop\cHpfiXA9s.README.txt2023-01-16 11:47:24.233 11241100x800000000000000032312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.230{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\PlayReady\Internet Explorer\InPrivate\cHpfiXA9s.README.txt2023-01-16 11:47:24.230 11241100x800000000000000032311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.229{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\PlayReady\Internet Explorer\cHpfiXA9s.README.txt2023-01-16 11:47:24.229 11241100x800000000000000032310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.229{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\PlayReady\cHpfiXA9s.README.txt2023-01-16 11:47:24.229 11241100x800000000000000032309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.228{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Vault\cHpfiXA9s.README.txt2023-01-16 11:47:24.228 11241100x800000000000000032308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.227{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\cHpfiXA9s.README.txt2023-01-16 11:47:24.227 11241100x800000000000000032307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.213{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\cHpfiXA9s.README.txt2023-01-16 11:47:24.213 11241100x800000000000000032306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.212{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Microsoft\cHpfiXA9s.README.txt2023-01-16 11:47:24.212 11241100x800000000000000032305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.212{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\cHpfiXA9s.README.txt2023-01-16 11:47:24.212 11241100x800000000000000032304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.211{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\ActiveSync\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:24.211 11241100x800000000000000032303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.210{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\ActiveSync\cHpfiXA9s.README.txt2023-01-16 11:47:24.210 11241100x800000000000000032302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.210{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:24.209 11241100x800000000000000032301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.209{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:24.209 11241100x800000000000000032300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.208{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.207 11241100x800000000000000032299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.207{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:24.207 11241100x800000000000000032298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.206{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:24.206 11241100x800000000000000032297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.204{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:24.204 10341000x800000000000000032296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.204{FCCA13C7-394C-63C5-A605-00000000AF02}67685964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.200{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:24.200 11241100x800000000000000032294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.199{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.199 11241100x800000000000000032293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.198{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:24.198 11241100x800000000000000032292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.197{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:24.197 11241100x800000000000000032291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.195{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:24.195 11241100x800000000000000032290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.195{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:24.194 11241100x800000000000000032289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.193{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.193 11241100x800000000000000032288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.193{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:24.192 11241100x800000000000000032287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.191{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:24.191 11241100x800000000000000032286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.191{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:24.190 11241100x800000000000000032285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.187{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:24.187 11241100x800000000000000032284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.186{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.186 11241100x800000000000000032283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.185{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:24.185 11241100x800000000000000032282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.184{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:24.184 11241100x800000000000000032281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.183{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:24.182 11241100x800000000000000032280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.182{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:24.182 11241100x800000000000000032279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.181{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.181 11241100x800000000000000032278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.180{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:24.180 11241100x800000000000000032277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.179{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:24.179 11241100x800000000000000032276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.178{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:24.178 11241100x800000000000000032275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.170{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:24.170 11241100x800000000000000032274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.169{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.169 11241100x800000000000000032273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.168{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:24.168 11241100x800000000000000032272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.167{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:24.167 11241100x800000000000000032271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.166{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:24.166 11241100x800000000000000032270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.165{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:24.165 11241100x800000000000000032269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.164{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.164 11241100x800000000000000032268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.163{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:24.163 11241100x800000000000000032267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.162{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:24.162 11241100x800000000000000032266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.162{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:24.161 11241100x800000000000000032265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.157{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:24.157 11241100x800000000000000032264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.156{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.156 11241100x800000000000000032263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.156{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:24.155 11241100x800000000000000032262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.155{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:24.155 11241100x800000000000000032261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.154{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:24.153 11241100x800000000000000032260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.153{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:24.153 11241100x800000000000000032259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.151{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.151 11241100x800000000000000032258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.151{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:24.151 11241100x800000000000000032257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.150{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:24.150 11241100x800000000000000032256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.149{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:24.149 11241100x800000000000000032255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.144{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:24.144 11241100x800000000000000032254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.143{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.143 11241100x800000000000000032253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.143{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:24.142 11241100x800000000000000032252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.142{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:24.141 11241100x800000000000000032251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.140{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:24.140 11241100x800000000000000032250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.139{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:24.139 11241100x800000000000000032249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.138{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.138 11241100x800000000000000032248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.137{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:24.137 11241100x800000000000000032247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.136{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:24.136 11241100x800000000000000032246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.135{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:24.135 11241100x800000000000000032245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.132{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:24.132 11241100x800000000000000032244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.131{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.130 11241100x800000000000000032243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.129{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:24.129 11241100x800000000000000032242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.129{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:24.129 11241100x800000000000000032241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.125{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:24.125 11241100x800000000000000032240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.125{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:24.124 11241100x800000000000000032239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.124{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.123 11241100x800000000000000032238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.122{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:24.122 11241100x800000000000000032237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.122{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:24.121 11241100x800000000000000032236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.121{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:24.120 11241100x800000000000000032235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.116{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:24.116 11241100x800000000000000032234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.115{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.115 11241100x800000000000000032233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.114{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:24.114 11241100x800000000000000032232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.113{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:24.113 11241100x800000000000000032231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.112{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\cHpfiXA9s.README.txt2023-01-16 11:47:24.112 11241100x800000000000000032230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.111{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:24.111 11241100x800000000000000032229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.110{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:24.110 11241100x800000000000000032228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.109{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:24.109 11241100x800000000000000032227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.108{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Default\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:24.108 10341000x800000000000000032226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.053{FCCA13C7-30EE-63C5-1600-00000000AF02}12921824C:\Windows\system32\svchost.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.053{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.048{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.041{FCCA13C7-3383-63C5-8701-00000000AF02}33724520C:\Windows\system32\csrss.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.039{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.039{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.034{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-394C-63C5-A605-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.032{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.032{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.032{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.031{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.031{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-394C-63C5-A605-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.030{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-394C-63C5-A605-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.030{FCCA13C7-394C-63C5-A605-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.999{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:23.999{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.922{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.922{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.922{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.922{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.922{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.920{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.920{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.920{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.920{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.918{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.918{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 11241100x800000000000000032535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.714{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.714{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A3175DEE6704BC697CACA3A2DD9EF4,SHA256=9EA3F7C843050101F9227F9AA8CB54EF4622DC86FBF5881441178D4158E5EABA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.360{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.359{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EEE13A10BC020AEA9F0A62ACFD18D7,SHA256=152872BAE0EF98810F5A6428592E1D00C6AC8A995B37A6112A24C614023457D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.347{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:25.347 11241100x800000000000000032530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.346{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:25.346 11241100x800000000000000032529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.346{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\cHpfiXA9s.README.txt2023-01-16 11:47:25.345 11241100x800000000000000032528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.345{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:25.345 11241100x800000000000000032527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.344{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:25.344 11241100x800000000000000032526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.340{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:25.340 11241100x800000000000000032525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.339{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:25.339 11241100x800000000000000032524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.339{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:25.339 11241100x800000000000000032523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.338{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:25.338 11241100x800000000000000032522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.337{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:25.337 11241100x800000000000000032521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.337{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:25.336 11241100x800000000000000032520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.336{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:25.336 11241100x800000000000000032519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.335{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:25.335 11241100x800000000000000032518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.335{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:25.334 11241100x800000000000000032517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.330{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:25.330 11241100x800000000000000032516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.330{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:25.330 11241100x800000000000000032515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.329{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:25.329 11241100x800000000000000032514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.328{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:25.328 11241100x800000000000000032513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.328{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:25.327 11241100x800000000000000032512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.327{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:25.327 11241100x800000000000000032511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.326{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:25.326 11241100x800000000000000032510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.326{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:25.325 11241100x800000000000000032509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.325{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:25.325 11241100x800000000000000032508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.320{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:25.320 11241100x800000000000000032507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.320{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:25.319 11241100x800000000000000032506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.319{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:25.319 10341000x800000000000000032505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.318{FCCA13C7-394D-63C5-A905-00000000AF02}49163808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.318{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:25.318 11241100x800000000000000032503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.317{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\cHpfiXA9s.README.txt2023-01-16 11:47:25.317 11241100x800000000000000032502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.316{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\PeerDistRepub\cHpfiXA9s.README.txt2023-01-16 11:47:25.316 11241100x800000000000000032501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.316{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Programs\Common\cHpfiXA9s.README.txt2023-01-16 11:47:25.316 11241100x800000000000000032500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.315{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Programs\cHpfiXA9s.README.txt2023-01-16 11:47:25.315 11241100x800000000000000032499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.314{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\2\cHpfiXA9s.README.txt2023-01-16 11:47:25.314 11241100x800000000000000032498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.314{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1673867357.345404-17644-67852219399178\cHpfiXA9s.README.txt2023-01-16 11:47:25.313 11241100x800000000000000032497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.313{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1673867364.9688-17648-246329004865569\cHpfiXA9s.README.txt2023-01-16 11:47:25.313 11241100x800000000000000032496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.312{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1673867465.254814-17701-276362183357973\cHpfiXA9s.README.txt2023-01-16 11:47:25.312 11241100x800000000000000032495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.308{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\package\services\metadata\core-properties\cHpfiXA9s.README.txt2023-01-16 11:47:25.308 11241100x800000000000000032494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.308{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\package\services\metadata\cHpfiXA9s.README.txt2023-01-16 11:47:25.308 11241100x800000000000000032493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.307{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\package\services\cHpfiXA9s.README.txt2023-01-16 11:47:25.307 11241100x800000000000000032492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.306{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\package\cHpfiXA9s.README.txt2023-01-16 11:47:25.305 10341000x800000000000000032491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.250{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.250{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.249{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.226{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.220{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.190{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 11241100x800000000000000032483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.189{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\functions\cHpfiXA9s.README.txt2023-01-16 11:47:25.189 10341000x800000000000000032482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000032480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000032479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394C-63C5-A705-00000000AF02}2300C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000032478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.177{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000032476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.177{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000032475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.177{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000032474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.175{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000032472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.175{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000032471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.175{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 11241100x800000000000000032470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.174{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\cHpfiXA9s.README.txt2023-01-16 11:47:25.174 10341000x800000000000000032469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.174{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.171{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.171{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.167{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.165{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.163{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.163{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766100C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00190) 10341000x800000000000000032460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.157{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-394D-63C5-A905-00000000AF02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.156{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.156{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.156{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.156{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.155{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-394D-63C5-A905-00000000AF02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.155{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-394D-63C5-A905-00000000AF02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.155{FCCA13C7-394D-63C5-A905-00000000AF02}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000032452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.152{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\cHpfiXA9s.README.txt2023-01-16 11:47:25.152 11241100x800000000000000032451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.132{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\cHpfiXA9s.README.txt2023-01-16 11:47:25.132 11241100x800000000000000032450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.121{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\cHpfiXA9s.README.txt2023-01-16 11:47:25.121 11241100x800000000000000032449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.109{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\tools\cHpfiXA9s.README.txt2023-01-16 11:47:25.109 11241100x800000000000000032448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.105{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\_rels\cHpfiXA9s.README.txt2023-01-16 11:47:25.105 11241100x800000000000000032447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.096{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\chocoInstall\cHpfiXA9s.README.txt2023-01-16 11:47:25.096 11241100x800000000000000032446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.095{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\Firefox\108.0.2\cHpfiXA9s.README.txt2023-01-16 11:47:25.095 11241100x800000000000000032445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.094{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\Firefox\cHpfiXA9s.README.txt2023-01-16 11:47:25.094 11241100x800000000000000032444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.090{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\chocolatey\cHpfiXA9s.README.txt2023-01-16 11:47:25.090 11241100x800000000000000032443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.089{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\Low\cHpfiXA9s.README.txt2023-01-16 11:47:25.088 11241100x800000000000000032442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.080{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:25.080 13241300x800000000000000032441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:25.045{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000032440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:25.042{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 11241100x800000000000000032439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.021{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.020{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8559241B6AB7900A8666FD38AA8E0181,SHA256=8A4D41C2712517F33A95842A5AF4ADF658C3A3FD8A81FC766FC1CE673BB9C5EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:25.085{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54BDB2CA6458585BD23B67BC7392427,SHA256=11F6999513ECABBB67C2EA50F549046E319ED8D8EBC0A3060BB110D46A5AAA91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.970{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\TileDataLayer\Database\EDBtmp.log2023-01-16 10:36:29.088 23542300x800000000000000032675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.969{FCCA13C7-30FB-63C5-2900-00000000AF02}2660NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\TileDataLayer\Database\EDB.chkMD5=91CD0967151DB2441AEA3797297C9457,SHA256=D4638327D521C0D2CBE9CCAE2EC570FAB8177FBD1369F08940F99866B7D2A8FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.960{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.960{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.946{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-394E-63C5-AC05-00000000AF02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.946{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.946{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.946{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.945{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.944{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.944{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.943{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-394E-63C5-AC05-00000000AF02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.943{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.943{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.943{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-394E-63C5-AC05-00000000AF02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.942{FCCA13C7-394E-63C5-AC05-00000000AF02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.942{FCCA13C7-3386-63C5-9201-00000000AF02}29806300C:\Windows\system32\sihost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000032659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.942{FCCA13C7-3386-63C5-9201-00000000AF02}29806300C:\Windows\system32\sihost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 11241100x800000000000000032658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.942{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.941{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1942C5C6D78DE0F9D85EBB655C4EF32,SHA256=22C48BCA610A5900D7D60FC3081CBB10D1C651F53F58C86A4C1BE49543124196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.939{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.939{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.936{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000032653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.935{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b9728|C:\Windows\System32\TwinUI.dll+b998a|C:\Windows\System32\TwinUI.dll+ba56b|C:\Windows\System32\TwinUI.dll+ba4f2|C:\Windows\System32\TwinUI.dll+1371ff|C:\Windows\System32\TwinUI.dll+137e73|C:\Windows\System32\TwinUI.dll+1389b7|C:\Windows\System32\TwinUI.dll+d17a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.935{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9728|C:\Windows\System32\TwinUI.dll+b998a|C:\Windows\System32\TwinUI.dll+ba56b|C:\Windows\System32\TwinUI.dll+ba4f2|C:\Windows\System32\TwinUI.dll+1371ff|C:\Windows\System32\TwinUI.dll+137e73|C:\Windows\System32\TwinUI.dll+1389b7|C:\Windows\System32\TwinUI.dll+d17a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.934{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9728|C:\Windows\System32\TwinUI.dll+b998a|C:\Windows\System32\TwinUI.dll+ba56b|C:\Windows\System32\TwinUI.dll+ba4f2|C:\Windows\System32\TwinUI.dll+1371ff|C:\Windows\System32\TwinUI.dll+137e73|C:\Windows\System32\TwinUI.dll+1389b7|C:\Windows\System32\TwinUI.dll+d17a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.934{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+129aec|C:\Windows\System32\TwinUI.dll+b5774|C:\Windows\System32\TwinUI.dll+b148b|C:\Windows\System32\TwinUI.dll+d178a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.933{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.933{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.932{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.932{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.907{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.907{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.907{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000032642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.907{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b9728|C:\Windows\System32\TwinUI.dll+b998a|C:\Windows\System32\TwinUI.dll+ba50e|C:\Windows\System32\TwinUI.dll+1371ff|C:\Windows\System32\TwinUI.dll+137e73|C:\Windows\System32\TwinUI.dll+1389b7|C:\Windows\System32\TwinUI.dll+d17a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.907{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9728|C:\Windows\System32\TwinUI.dll+b998a|C:\Windows\System32\TwinUI.dll+ba50e|C:\Windows\System32\TwinUI.dll+1371ff|C:\Windows\System32\TwinUI.dll+137e73|C:\Windows\System32\TwinUI.dll+1389b7|C:\Windows\System32\TwinUI.dll+d17a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.907{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9728|C:\Windows\System32\TwinUI.dll+b998a|C:\Windows\System32\TwinUI.dll+ba50e|C:\Windows\System32\TwinUI.dll+1371ff|C:\Windows\System32\TwinUI.dll+137e73|C:\Windows\System32\TwinUI.dll+1389b7|C:\Windows\System32\TwinUI.dll+d17a4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.892{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+129aec|C:\Windows\System32\TwinUI.dll+b5774|C:\Windows\System32\TwinUI.dll+b148b|C:\Windows\System32\TwinUI.dll+d178a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.892{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.892{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.892{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.892{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.892{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000032633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:26.892{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000032632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:26.892{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x800000000000000032631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.876{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\cHpfiXA9s.README.txt2023-01-16 11:47:26.876 11241100x800000000000000032630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.876{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\cHpfiXA9s.README.txt2023-01-16 11:47:26.876 10341000x800000000000000032629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.861{FCCA13C7-30EE-63C5-1600-00000000AF02}12921824C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.861{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.861{FCCA13C7-30ED-63C5-0C00-00000000AF02}8485840C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.861{FCCA13C7-30ED-63C5-0C00-00000000AF02}8485840C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.861{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3bf97c11-0c46-45ef-9f26-16c00410f26f}\cHpfiXA9s.README.txt2023-01-16 11:47:26.861 10341000x800000000000000032624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.845{FCCA13C7-3383-63C5-8701-00000000AF02}33724520C:\Windows\system32\csrss.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.845{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 12241200x800000000000000032622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:26.845{FCCA13C7-3386-63C5-9201-00000000AF02}2980C:\Windows\system32\sihost.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PlmVolatile\TerminationType\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy!App 10341000x800000000000000032621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.845{FCCA13C7-3386-63C5-9201-00000000AF02}29805208C:\Windows\system32\sihost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.845{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.845{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+41031|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.845{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5edd845e-8594-4cae-bfff-17ea1e4c0991}\cHpfiXA9s.README.txt2023-01-16 11:47:26.845 10341000x800000000000000032617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.814{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 11241100x800000000000000032616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.814{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{de29c328-3b3d-4ef6-bcf9-9e72c64f90cd}\cHpfiXA9s.README.txt2023-01-16 11:47:26.814 11241100x800000000000000032615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.814{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\cHpfiXA9s.README.txt2023-01-16 11:47:26.814 11241100x800000000000000032614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.798{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\cHpfiXA9s.README.txt2023-01-16 11:47:26.798 11241100x800000000000000032613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.798{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:26.798 11241100x800000000000000032612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.798{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:26.798 12241200x800000000000000032611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:26.798{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000032610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:26.798{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000032609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:26.798{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000032608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:26.798{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000032607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:26.798{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000032606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:26.798{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 13241300x800000000000000032605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000032604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000032603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000032602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000032601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000032600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:26.782 11241100x800000000000000032599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:26.782 11241100x800000000000000032598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:26.782 11241100x800000000000000032597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:26.782 11241100x800000000000000032596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:26.782 11241100x800000000000000032595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:26.782 11241100x800000000000000032594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:26.782 11241100x800000000000000032593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:26.782 11241100x800000000000000032592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:26.782 11241100x800000000000000032591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.782{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.767{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:26.767 11241100x800000000000000032577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.751{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:26.751 11241100x800000000000000032576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.751{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:26.751 11241100x800000000000000032575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.751{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:26.751 11241100x800000000000000032574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.751{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:26.751 11241100x800000000000000032573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.751{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:26.751 11241100x800000000000000032572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.751{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:26.751 11241100x800000000000000032571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.751{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:26.751 11241100x800000000000000032570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.751{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:26.751 11241100x800000000000000032569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.736{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:26.736 11241100x800000000000000032568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.736{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:26.736 11241100x800000000000000032567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.736{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:26.736 11241100x800000000000000032566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.736{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:26.736 11241100x800000000000000032565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.736{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:26.736 11241100x800000000000000032564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.736{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:26.736 11241100x800000000000000032563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.736{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:26.736 10341000x800000000000000032562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.454{FCCA13C7-394E-63C5-AA05-00000000AF02}66165888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000032561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:26.314{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6335A056-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML 11241100x800000000000000032560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.314{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML.TMP2023-01-16 11:47:26.314 10341000x800000000000000032559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.314{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-394E-63C5-AA05-00000000AF02}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.314{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.314{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.314{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.314{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.314{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-394E-63C5-AA05-00000000AF02}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.314{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-394E-63C5-AA05-00000000AF02}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.314{FCCA13C7-394E-63C5-AA05-00000000AF02}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000032551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:26.298{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F283BD66-5E50-484D-ADBD-4AC94CBA68D3\Config SourceDWORD (0x00000001) 13241300x800000000000000032550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:26.298{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F283BD66-5E50-484D-ADBD-4AC94CBA68D3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_F283BD66-5E50-484D-ADBD-4AC94CBA68D3.XML 11241100x800000000000000032549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.298{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_F283BD66-5E50-484D-ADBD-4AC94CBA68D3.XML.TMP2023-01-16 11:47:26.298 10341000x800000000000000032548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.298{FCCA13C7-30EC-63C5-0B00-00000000AF02}628668C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.298{FCCA13C7-30EC-63C5-0B00-00000000AF02}628668C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000014065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:23.598{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49989-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:26.181{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0217DFFB9D9458C174C70F88D910418,SHA256=73CDCDC010549333C8D867ACB31732951CB21F28F91807947CCC626F243F540C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.984{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.981{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.981{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000032991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.955{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 13241300x800000000000000032990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.952{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000032989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.952{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x800000000000000032988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.885{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\USOShared\Logs\cHpfiXA9s.README.txt2023-01-16 11:47:27.885 11241100x800000000000000032987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.854{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\USOShared\cHpfiXA9s.README.txt2023-01-16 11:47:27.854 11241100x800000000000000032986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.854{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\cHpfiXA9s.README.txt2023-01-16 11:47:27.854 11241100x800000000000000032985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.854{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:27.854 11241100x800000000000000032984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.854{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\AWSToolkit\cHpfiXA9s.README.txt2023-01-16 11:47:27.854 11241100x800000000000000032983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.838{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Comms\Unistore\data\cHpfiXA9s.README.txt2023-01-16 11:47:27.838 11241100x800000000000000032982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.838{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Comms\Unistore\cHpfiXA9s.README.txt2023-01-16 11:47:27.838 11241100x800000000000000032981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.822{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Comms\UnistoreDB\cHpfiXA9s.README.txt2023-01-16 11:47:27.822 11241100x800000000000000032980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.822{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Comms\cHpfiXA9s.README.txt2023-01-16 11:47:27.822 12241200x800000000000000032979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:27.611{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000032978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:27.611{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000032977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:27.611{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000032976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:27.611{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000032975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:27.611{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000032974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:27.611{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 13241300x800000000000000032973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.609{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_155bf9\StartDWORD (0x00000004) 13241300x800000000000000032972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.609{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_155bf9\DeleteFlagDWORD (0x00000001) 13241300x800000000000000032971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.608{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_155bf9\StartDWORD (0x00000004) 13241300x800000000000000032970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.608{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_155bf9\DeleteFlagDWORD (0x00000001) 10341000x800000000000000032969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.589{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000032968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.575{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000032967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.575{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000032966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.575{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000032965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.574{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000032964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.574{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000032963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.573{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\ConnectedDevicesPlatform\cHpfiXA9s.README.txt2023-01-16 11:47:27.573 11241100x800000000000000032962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.573{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\cHpfiXA9s.README.txt2023-01-16 11:47:27.573 11241100x800000000000000032961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.572{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\cHpfiXA9s.README.txt2023-01-16 11:47:27.572 11241100x800000000000000032960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.571{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\cHpfiXA9s.README.txt2023-01-16 11:47:27.571 11241100x800000000000000032959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.571{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds\cHpfiXA9s.README.txt2023-01-16 11:47:27.570 11241100x800000000000000032958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.570{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\InstallAgent\Checkpoints\cHpfiXA9s.README.txt2023-01-16 11:47:27.570 11241100x800000000000000032957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.569{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\InstallAgent\cHpfiXA9s.README.txt2023-01-16 11:47:27.568 11241100x800000000000000032956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.564{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\IECompatData\cHpfiXA9s.README.txt2023-01-16 11:47:27.564 11241100x800000000000000032955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.560{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\imagestore\2p6opy5\cHpfiXA9s.README.txt2023-01-16 11:47:27.560 11241100x800000000000000032954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.559{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\imagestore\cHpfiXA9s.README.txt2023-01-16 11:47:27.559 11241100x800000000000000032953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.558{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\TabRoaming\cHpfiXA9s.README.txt2023-01-16 11:47:27.558 11241100x800000000000000032952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.557{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Tracking Protection\cHpfiXA9s.README.txt2023-01-16 11:47:27.557 11241100x800000000000000032951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.544{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\cHpfiXA9s.README.txt2023-01-16 11:47:27.544 11241100x800000000000000032950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.510{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00040D1C\cHpfiXA9s.README.txt2023-01-16 11:47:27.510 11241100x800000000000000032949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.478{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00044FE1\cHpfiXA9s.README.txt2023-01-16 11:47:27.478 11241100x800000000000000032948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.445{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0004CFDF\cHpfiXA9s.README.txt2023-01-16 11:47:27.445 10341000x800000000000000032947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.444{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.443{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000032945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.443{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 11241100x800000000000000032944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.413{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.412{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7174DE27172316080FDB010459FF42,SHA256=393D50E5BA9F3D7A064043F6B94A5E133521D997DFCDB65047D3A20441A4C5C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.410{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000A493D\cHpfiXA9s.README.txt2023-01-16 11:47:27.409 11241100x800000000000000032941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.346{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0015846C\cHpfiXA9s.README.txt2023-01-16 11:47:27.346 11241100x800000000000000032940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.341{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 10341000x800000000000000032939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.341{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.341{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x800000000000000032937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.341{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290B12C4B2CDEB2FAAFB83EF5D89A598,SHA256=44F550DF4257A89701CE1446C68E30BF251375222F1242D6CD78454B534B1DFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.322{FCCA13C7-30ED-63C5-1000-00000000AF02}3681676C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.318{FCCA13C7-30ED-63C5-1000-00000000AF02}3681676C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.317{FCCA13C7-30ED-63C5-1000-00000000AF02}3681676C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.312{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.309{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.309{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.307{FCCA13C7-3387-63C5-9D01-00000000AF02}12845976C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+4658e|C:\Windows\System32\wpncore.dll+434e3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x800000000000000032929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.307{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+14dbb|C:\Windows\SYSTEM32\psmserviceexthost.dll+12127|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.307{FCCA13C7-3387-63C5-9D01-00000000AF02}12845976C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+46600|C:\Windows\System32\wpncore.dll+434a7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x800000000000000032927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.307{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.306{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.306{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.304{FCCA13C7-3387-63C5-9D01-00000000AF02}12845312C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+4658e|C:\Windows\System32\wpncore.dll+434e3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x800000000000000032923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.304{FCCA13C7-3387-63C5-9D01-00000000AF02}12845312C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+46600|C:\Windows\System32\wpncore.dll+434a7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 11241100x800000000000000032922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.304{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0026B51E\cHpfiXA9s.README.txt2023-01-16 11:47:27.303 10341000x800000000000000032921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.301{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.301{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.301{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.300{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.299{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000032916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.299{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000032915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.299{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.299{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000032913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.299{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000032912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.298{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.298{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000032910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.298{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000032909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.297{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.296{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.296{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.296{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.295{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.294{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.293{FCCA13C7-3387-63C5-9D01-00000000AF02}12845312C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000032902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.286{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.286{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000032900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.271{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.271{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.271{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x800000000000000032897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.267{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.267{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.266{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 11241100x800000000000000032894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.266{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\002AC538\cHpfiXA9s.README.txt2023-01-16 11:47:27.266 13241300x800000000000000032893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.265{FCCA13C7-3386-63C5-9101-00000000AF02}4820C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 11241100x800000000000000032892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.264{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:27.264 11241100x800000000000000032891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.264{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\cHpfiXA9s.README.txt2023-01-16 11:47:27.264 11241100x800000000000000032890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.263{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Media Player\cHpfiXA9s.README.txt2023-01-16 11:47:27.263 10341000x800000000000000032889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.263{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.263{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.262{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 13241300x800000000000000032886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.261{FCCA13C7-3386-63C5-9101-00000000AF02}4820C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 10341000x800000000000000032885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.260{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.259{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.259{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\cHpfiXA9s.README.txt2023-01-16 11:47:27.259 10341000x800000000000000032882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.259{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 11241100x800000000000000032881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.258{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\PlayReady\Internet Explorer\Desktop\cHpfiXA9s.README.txt2023-01-16 11:47:27.258 11241100x800000000000000032880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.257{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\PlayReady\Internet Explorer\InPrivate\Desktop\cHpfiXA9s.README.txt2023-01-16 11:47:27.257 13241300x800000000000000032879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.257{FCCA13C7-3386-63C5-9101-00000000AF02}4820C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 11241100x800000000000000032878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.257{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\PlayReady\Internet Explorer\InPrivate\cHpfiXA9s.README.txt2023-01-16 11:47:27.256 11241100x800000000000000032877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.256{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\PlayReady\Internet Explorer\cHpfiXA9s.README.txt2023-01-16 11:47:27.256 10341000x800000000000000032876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.256{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.256{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.255{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\PlayReady\cHpfiXA9s.README.txt2023-01-16 11:47:27.255 10341000x800000000000000032873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.255{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 11241100x800000000000000032872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.251{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\cHpfiXA9s.README.txt2023-01-16 11:47:27.250 23542300x800000000000000032871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.250{FCCA13C7-394B-63C5-A305-00000000AF02}3676ATTACKRANGE\AdministratorC:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat.cHpfiXA9sMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x800000000000000032870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.249{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.249{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.249{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 13241300x800000000000000032867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.248{FCCA13C7-3386-63C5-9101-00000000AF02}4820C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 11241100x800000000000000032866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.246{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\cHpfiXA9s.README.txt2023-01-16 11:47:27.246 11241100x800000000000000032865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.245{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\cHpfiXA9s.README.txt2023-01-16 11:47:27.244 11241100x800000000000000032864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.244{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Gadgets\cHpfiXA9s.README.txt2023-01-16 11:47:27.244 10341000x800000000000000032863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.244{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.244{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.243{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 11241100x800000000000000032860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.239{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\cHpfiXA9s.README.txt2023-01-16 11:47:27.239 11241100x800000000000000032859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.238{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft\cHpfiXA9s.README.txt2023-01-16 11:47:27.238 11241100x800000000000000032858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.234{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\ServerManager.exe_StrongName_m3xk0k0ucj0oj3ai2hibnhnv4xobnimj\10.0.0.0\cHpfiXA9s.README.txt2023-01-16 11:47:27.234 11241100x800000000000000032857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.233{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\ServerManager.exe_StrongName_m3xk0k0ucj0oj3ai2hibnhnv4xobnimj\cHpfiXA9s.README.txt2023-01-16 11:47:27.233 11241100x800000000000000032856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.232{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\cHpfiXA9s.README.txt2023-01-16 11:47:27.231 10341000x800000000000000032855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.229{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.229{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.229{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 13241300x800000000000000032852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.227{FCCA13C7-3386-63C5-9101-00000000AF02}4820C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-489063788-1047142772-617343651-500_Classes\Local Settings\MuiCache\167\52C64B7E\LanguageListBinary Data 10341000x800000000000000032851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.222{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.222{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+30ccd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.221{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 11241100x800000000000000032848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.215{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\NuGet\Cache\cHpfiXA9s.README.txt2023-01-16 11:47:27.214 10341000x800000000000000032847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.214{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.214{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.213{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 11241100x800000000000000032844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.212{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\NuGet\cHpfiXA9s.README.txt2023-01-16 11:47:27.212 11241100x800000000000000032843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.211{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\cHpfiXA9s.README.txt2023-01-16 11:47:27.211 11241100x800000000000000032842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.210{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\ActiveSync\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:27.210 11241100x800000000000000032841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.210{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\ActiveSync\cHpfiXA9s.README.txt2023-01-16 11:47:27.209 11241100x800000000000000032840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.209{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:27.209 11241100x800000000000000032839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.208{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:27.208 11241100x800000000000000032838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.207{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.207 11241100x800000000000000032837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.206{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:27.206 11241100x800000000000000032836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.205{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:27.205 11241100x800000000000000032835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.205{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:27.205 11241100x800000000000000032834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.201{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:27.201 11241100x800000000000000032833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.200{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.200 11241100x800000000000000032832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.199{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:27.199 11241100x800000000000000032831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.199{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:27.198 11241100x800000000000000032830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.198{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:27.198 11241100x800000000000000032829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.197{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:27.197 11241100x800000000000000032828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.196{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.196 11241100x800000000000000032827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.195{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:27.195 11241100x800000000000000032826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.195{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:27.194 11241100x800000000000000032825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.194{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:27.194 11241100x800000000000000032824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.189{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:27.189 11241100x800000000000000032823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.189{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.188 354300x800000000000000032822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:24.656{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56869-false10.0.1.12-8000- 11241100x800000000000000032821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.188{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:27.188 11241100x800000000000000032820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.187{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:27.187 11241100x800000000000000032819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.186{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:27.186 11241100x800000000000000032818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.186{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:27.186 11241100x800000000000000032817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.185{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.185 11241100x800000000000000032816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.184{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:27.184 11241100x800000000000000032815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.183{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:27.183 11241100x800000000000000032814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.183{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:27.182 10341000x800000000000000032813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.182{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\combase.dll+24fc2|C:\Windows\System32\combase.dll+25cee|C:\Windows\System32\combase.dll+25aff|C:\Windows\System32\combase.dll+59488|C:\Windows\System32\combase.dll+590a0|C:\Windows\System32\combase.dll+65e74|C:\Windows\System32\combase.dll+c29a4|C:\Windows\System32\combase.dll+63133|C:\Windows\System32\combase.dll+648f0|C:\Windows\System32\combase.dll+217a|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000032812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.178{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+31647|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.178{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+31647|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.178{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x800000000000000032809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.178{FCCA13C7-394E-63C5-AC05-00000000AF02}71446844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.177{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:27.177 10341000x800000000000000032807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.177{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+318d5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.177{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+318d5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.176{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 11241100x800000000000000032804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.176{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.176 10341000x800000000000000032803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.176{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.175{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.175{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:27.175 10341000x800000000000000032800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.175{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x800000000000000032799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.174{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.174{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.174{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:27.173 10341000x800000000000000032796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.173{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 11241100x800000000000000032795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.173{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:27.173 10341000x800000000000000032794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.172{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.172{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.172{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:27.172 10341000x800000000000000032791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.171{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 11241100x800000000000000032790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.171{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.171 11241100x800000000000000032789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.170{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:27.170 10341000x800000000000000032788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.170{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.170{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.169{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:27.169 10341000x800000000000000032785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.169{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 11241100x800000000000000032784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.168{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:27.168 13241300x800000000000000032783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.168{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe\REGISTRY\A\{315e610d-2b5e-bc0a-d48c-067c3deca3a6}\LocalState\NavigationPaneSeenTimeBinary Data 13241300x800000000000000032782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.168{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe\REGISTRY\A\{315e610d-2b5e-bc0a-d48c-067c3deca3a6}\LocalState\AllAppsSeenTimeBinary Data 13241300x800000000000000032781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.168{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe\REGISTRY\A\{315e610d-2b5e-bc0a-d48c-067c3deca3a6}\LocalState\FirstRunTimeBinary Data 10341000x800000000000000032780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.167{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000032779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:27.166{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe\REGISTRY\A\{315e610d-2b5e-bc0a-d48c-067c3deca3a6}\LocalState\FirstRunBinary Data 11241100x800000000000000032778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.164{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:27.164 11241100x800000000000000032777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.163{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.163 11241100x800000000000000032776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.162{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:27.162 11241100x800000000000000032775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.161{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:27.161 11241100x800000000000000032774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.159{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:27.159 11241100x800000000000000032773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.159{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG22023-01-16 11:22:58.271 11241100x800000000000000032772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.158{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG12023-01-16 11:22:58.271 11241100x800000000000000032771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.158{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:27.158 11241100x800000000000000032770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.158{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat2023-01-16 11:22:49.604 11241100x800000000000000032769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.157{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.157 11241100x800000000000000032768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.156{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:27.156 11241100x800000000000000032767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.155{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:27.155 11241100x800000000000000032766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.154{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:27.154 11241100x800000000000000032765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.154{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 10341000x800000000000000032764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.153{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.153{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE97DB779DE1BEC287CEF781ECBCA46F,SHA256=810963C482AA33B344C92119A122EE815D48EC4366DB5CF87C1C3DB7AC23DEC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.150{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.150{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.150{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:27.149 10341000x800000000000000032759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.149{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.149{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000032757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.149{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 11241100x800000000000000032756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.149{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.148 10341000x800000000000000032755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.148{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.148{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000032753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.148{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000032752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.148{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.148{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.148{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.147{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:27.147 10341000x800000000000000032748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.147{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.147{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.146{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:27.146 11241100x800000000000000032745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.145{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:27.145 10341000x800000000000000032744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.145{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.145{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.144{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:27.144 10341000x800000000000000032741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.144{FCCA13C7-30FB-63C5-2900-00000000AF02}26605696C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\tileobjserver.dll+bdb2|c:\windows\system32\tileobjserver.dll+4fd48|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000032740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.144{FCCA13C7-30FB-63C5-2900-00000000AF02}26605696C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\tileobjserver.dll+bd5f|c:\windows\system32\tileobjserver.dll+4fd48|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 11241100x800000000000000032739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.143{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.143 11241100x800000000000000032738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.142{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:27.142 10341000x800000000000000032737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.142{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.142{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.141{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:27.141 10341000x800000000000000032734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.141{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.140{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.140{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:27.139 10341000x800000000000000032731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.137{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.137{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.134{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:27.134 11241100x800000000000000032728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.134{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.133 10341000x800000000000000032727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.133{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9728|C:\Windows\System32\TwinUI.dll+b998a|C:\Windows\System32\TwinUI.dll+ba185|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000032726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.133{FCCA13C7-3387-63C5-9D01-00000000AF02}12846008C:\Windows\Explorer.EXE{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9728|C:\Windows\System32\TwinUI.dll+b998a|C:\Windows\System32\TwinUI.dll+ba185|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 11241100x800000000000000032725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.133{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:27.132 11241100x800000000000000032724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.132{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:27.131 11241100x800000000000000032723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.131{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:27.131 10341000x800000000000000032722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.131{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.130{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000032720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.130{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:27.130 11241100x800000000000000032719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.129{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.129 11241100x800000000000000032718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.128{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:27.128 11241100x800000000000000032717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.127{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\LocalState\cHpfiXA9s.README.txt2023-01-16 11:47:27.127 11241100x800000000000000032716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.126{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RoamingState\cHpfiXA9s.README.txt2023-01-16 11:47:27.126 10341000x800000000000000032715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.124{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.124{FCCA13C7-3386-63C5-9101-00000000AF02}48206356C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1af53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.122{FCCA13C7-3386-63C5-9101-00000000AF02}48206460C:\Windows\System32\RuntimeBroker.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b304|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1b418|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a2d6|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 11241100x800000000000000032712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.121{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:27.121 11241100x800000000000000032711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.120{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\SystemAppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.120 11241100x800000000000000032710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.119{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\TempState\cHpfiXA9s.README.txt2023-01-16 11:47:27.119 11241100x800000000000000032709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.118{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\cHpfiXA9s.README.txt2023-01-16 11:47:27.118 11241100x800000000000000032708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.117{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\cHpfiXA9s.README.txt2023-01-16 11:47:27.117 11241100x800000000000000032707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.117{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Temp\cHpfiXA9s.README.txt2023-01-16 11:47:27.117 11241100x800000000000000032706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.116{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\cHpfiXA9s.README.txt2023-01-16 11:47:27.116 11241100x800000000000000032705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.115{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\cHpfiXA9s.README.txt2023-01-16 11:47:27.113 11241100x800000000000000032704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.112{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalCache\cHpfiXA9s.README.txt2023-01-16 11:47:27.112 10341000x800000000000000032703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.105{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.105{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.104{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.104{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-ConnectPipe2023-01-16 11:47:27.103{FCCA13C7-394E-63C5-AB05-00000000AF02}6544\TDLN-6544-41C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 17141700x800000000000000032698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-CreatePipe2023-01-16 11:47:27.103{FCCA13C7-30FB-63C5-2900-00000000AF02}2660\TDLN-6544-41C:\Windows\system32\svchost.exe 10341000x800000000000000032697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.102{FCCA13C7-30FB-63C5-2900-00000000AF02}26605696C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\tileobjserver.dll+bdb2|c:\windows\system32\tileobjserver.dll+26d62|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000032696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.102{FCCA13C7-30FB-63C5-2900-00000000AF02}26605696C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\tileobjserver.dll+bd5f|c:\windows\system32\tileobjserver.dll+26d62|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000032695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.101{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.101{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.098{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.098{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x800000000000000032691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:27.091{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Mounting_S-1-5-21-489063788-1047142772-617343651-500 11241100x800000000000000032690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.049{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\TileDataLayer\Database\vedatamodel.edb2023-01-16 10:36:29.088 23542300x800000000000000032689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.047{FCCA13C7-3387-63C5-9D01-00000000AF02}1284ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.dbMD5=4190DFC097268AB7471CDF1439C62B4A,SHA256=60EEA6A1B6D857D6855A880BF89BECC4843E53275EF35D0CE82D94CF7F5CC685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.044{FCCA13C7-30FB-63C5-2900-00000000AF02}26605824C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\tileobjserver.dll+bdb2|c:\windows\system32\tileobjserver.dll+26d62|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000032687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.044{FCCA13C7-30FB-63C5-2900-00000000AF02}26605824C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\tileobjserver.dll+bd5f|c:\windows\system32\tileobjserver.dll+26d62|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000032686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.043{FCCA13C7-30FB-63C5-2900-00000000AF02}26605824C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\tileobjserver.dll+bdb2|c:\windows\system32\tileobjserver.dll+26cae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000032685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.043{FCCA13C7-30FB-63C5-2900-00000000AF02}26605824C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\tileobjserver.dll+bd5f|c:\windows\system32\tileobjserver.dll+26cae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 11241100x800000000000000032684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.040{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\TileDataLayer\Database\vedatamodel.jfm2023-01-16 10:36:29.088 11241100x800000000000000032683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.037{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db2023-01-16 11:47:27.036 11241100x800000000000000032682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.025{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\TileDataLayer\Database\EDB.chk2023-01-16 10:36:29.104 11241100x800000000000000032681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.017{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.016{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF31D2FD46BB62E750FB32F829CA331,SHA256=BE210D87236F1545F7CC1961CFC120D3AD198973142ED48485C6C76C5355FD68,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.015{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\TileDataLayer\Database\EDBres00002.jrs2023-01-16 10:36:29.088 11241100x800000000000000032678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.009{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\TileDataLayer\Database\EDBres00001.jrs2023-01-16 10:36:29.104 11241100x800000000000000032677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:27.004{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\TileDataLayer\Database\EDBtmp.log2023-01-16 10:36:29.088 23542300x800000000000000014066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:27.281{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB79AA9DC259ECB444F6D9F1C77CFB56,SHA256=91301FC3743B5DE683C11DA9E3B746504E95B075A74775EEF1238518B96B983F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.998{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\.chocolatey\notepadplusplus.install.8.4.8\cHpfiXA9s.README.txt2023-01-16 11:47:28.998 11241100x800000000000000033056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.996{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\.chocolatey\cHpfiXA9s.README.txt2023-01-16 11:47:28.996 11241100x800000000000000033055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.989{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\bin\cHpfiXA9s.README.txt2023-01-16 11:47:28.988 354300x800000000000000033054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.451{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56871-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000033053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:26.451{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56871-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000033052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.618{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56870-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000033051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:25.618{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56870-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 11241100x800000000000000033050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.981{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\config\cHpfiXA9s.README.txt2023-01-16 11:47:28.981 11241100x800000000000000033049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.956{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\extensions\chocolatey-compatibility\helpers\cHpfiXA9s.README.txt2023-01-16 11:47:28.956 11241100x800000000000000033048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.940{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\extensions\chocolatey-compatibility\cHpfiXA9s.README.txt2023-01-16 11:47:28.940 11241100x800000000000000033047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.925{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\extensions\chocolatey-core\cHpfiXA9s.README.txt2023-01-16 11:47:28.925 11241100x800000000000000033046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.925{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\extensions\cHpfiXA9s.README.txt2023-01-16 11:47:28.909 11241100x800000000000000033045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.800{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\helpers\functions\cHpfiXA9s.README.txt2023-01-16 11:47:28.800 11241100x800000000000000033044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.784{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\helpers\cHpfiXA9s.README.txt2023-01-16 11:47:28.784 11241100x800000000000000033043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.784{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\7zip\cHpfiXA9s.README.txt2023-01-16 11:47:28.784 11241100x800000000000000033042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.768{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\7zip.install\legal\cHpfiXA9s.README.txt2023-01-16 11:47:28.768 11241100x800000000000000033041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.768{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\7zip.install\tools\cHpfiXA9s.README.txt2023-01-16 11:47:28.768 11241100x800000000000000033040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.753{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\7zip.install\cHpfiXA9s.README.txt2023-01-16 11:47:28.753 11241100x800000000000000033039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.753{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\chocolatey\cHpfiXA9s.README.txt2023-01-16 11:47:28.753 11241100x800000000000000033038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.721{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\chocolatey-compatibility.extension\extensions\helpers\cHpfiXA9s.README.txt2023-01-16 11:47:28.721 11241100x800000000000000033037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.721{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\chocolatey-compatibility.extension\extensions\cHpfiXA9s.README.txt2023-01-16 11:47:28.721 11241100x800000000000000033036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.721{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\chocolatey-compatibility.extension\cHpfiXA9s.README.txt2023-01-16 11:47:28.721 11241100x800000000000000033035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.690{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\chocolatey-core.extension\extensions\cHpfiXA9s.README.txt2023-01-16 11:47:28.690 11241100x800000000000000033034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.675{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\chocolatey-core.extension\cHpfiXA9s.README.txt2023-01-16 11:47:28.675 11241100x800000000000000033033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.675{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\Firefox\tools\cHpfiXA9s.README.txt2023-01-16 11:47:28.675 11241100x800000000000000033032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.659{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\Firefox\cHpfiXA9s.README.txt2023-01-16 11:47:28.659 11241100x800000000000000033031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.659{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\git\cHpfiXA9s.README.txt2023-01-16 11:47:28.659 11241100x800000000000000033030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.643{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\git.install\legal\cHpfiXA9s.README.txt2023-01-16 11:47:28.643 11241100x800000000000000033029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.628{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\git.install\tools\cHpfiXA9s.README.txt2023-01-16 11:47:28.628 11241100x800000000000000033028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.628{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\git.install\cHpfiXA9s.README.txt2023-01-16 11:47:28.628 11241100x800000000000000033027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.628{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\notepadplusplus\tools\cHpfiXA9s.README.txt2023-01-16 11:47:28.628 11241100x800000000000000033026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.612{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\notepadplusplus\cHpfiXA9s.README.txt2023-01-16 11:47:28.612 11241100x800000000000000033025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.612{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\notepadplusplus.install\legal\cHpfiXA9s.README.txt2023-01-16 11:47:28.612 11241100x800000000000000033024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.596{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\notepadplusplus.install\tools\cHpfiXA9s.README.txt2023-01-16 11:47:28.596 11241100x800000000000000033023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.596{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\notepadplusplus.install\cHpfiXA9s.README.txt2023-01-16 11:47:28.596 11241100x800000000000000033022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.582{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\lib\cHpfiXA9s.README.txt2023-01-16 11:47:28.582 11241100x800000000000000033021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.582{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\logs\cHpfiXA9s.README.txt2023-01-16 11:47:28.582 11241100x800000000000000033020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.565{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\redirects\cHpfiXA9s.README.txt2023-01-16 11:47:28.565 11241100x800000000000000033019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.534{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\tools\cHpfiXA9s.README.txt2023-01-16 11:47:28.534 11241100x800000000000000033018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.519{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\cHpfiXA9s.README.txt2023-01-16 11:47:28.519 11241100x800000000000000033017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.519{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Comms\cHpfiXA9s.README.txt2023-01-16 11:47:28.519 11241100x800000000000000033016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.519{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{2c673fb6-3e65-4751-965d-33d30b68a8a6}\cHpfiXA9s.README.txt2023-01-16 11:47:28.519 11241100x800000000000000033015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.519{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{38EFA84F-75A4-4F4E-BA53-4E260EFCEE1C}v2.0.19\cHpfiXA9s.README.txt2023-01-16 11:47:28.519 11241100x800000000000000033014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.503{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{74bc3bd9-5872-4bcd-9f39-ca47be15b4ad}\cHpfiXA9s.README.txt2023-01-16 11:47:28.503 11241100x800000000000000033013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.503{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{790D0266-9BA3-4260-A359-0876388DAF2A}v3.1.1856.0\cHpfiXA9s.README.txt2023-01-16 11:47:28.503 11241100x800000000000000033012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.503{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{7F4A9F52-173F-4B0D-B1EA-269C32EDA827}v14.29.30139\packages\vcRuntimeAdditional_amd64\cHpfiXA9s.README.txt2023-01-16 11:47:28.503 11241100x800000000000000033011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.503{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{7F4A9F52-173F-4B0D-B1EA-269C32EDA827}v14.29.30139\packages\cHpfiXA9s.README.txt2023-01-16 11:47:28.503 11241100x800000000000000033010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.487{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{7F4A9F52-173F-4B0D-B1EA-269C32EDA827}v14.29.30139\cHpfiXA9s.README.txt2023-01-16 11:47:28.487 11241100x800000000000000033009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.487{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{a03aa3d3-9def-49cc-b485-98af979363d5}\cHpfiXA9s.README.txt2023-01-16 11:47:28.487 11241100x800000000000000033008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.487{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{A6D3F752-BF11-4D7C-B19C-F6F96A35CF50}v14.29.30139\packages\vcRuntimeMinimum_amd64\cHpfiXA9s.README.txt2023-01-16 11:47:28.487 11241100x800000000000000033007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.487{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{A6D3F752-BF11-4D7C-B19C-F6F96A35CF50}v14.29.30139\packages\cHpfiXA9s.README.txt2023-01-16 11:47:28.487 11241100x800000000000000033006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.487{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{A6D3F752-BF11-4D7C-B19C-F6F96A35CF50}v14.29.30139\cHpfiXA9s.README.txt2023-01-16 11:47:28.487 11241100x800000000000000033005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.471{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\{B1A3AC35-A431-4C8C-9D21-E2CA92047F76}v2.0.533.0\cHpfiXA9s.README.txt2023-01-16 11:47:28.471 11241100x800000000000000033004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.471{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Package Cache\cHpfiXA9s.README.txt2023-01-16 11:47:28.471 11241100x800000000000000033003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.471{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\regid.1991-06.com.microsoft\cHpfiXA9s.README.txt2023-01-16 11:47:28.471 11241100x800000000000000033002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.471{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\shimgen\generatedfiles\cHpfiXA9s.README.txt2023-01-16 11:47:28.471 11241100x800000000000000033001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.471{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\shimgen\cHpfiXA9s.README.txt2023-01-16 11:47:28.471 11241100x800000000000000033000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.471{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\SoftwareDistribution\cHpfiXA9s.README.txt2023-01-16 11:47:28.471 11241100x800000000000000032999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.456{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\USOPrivate\UpdateStore\cHpfiXA9s.README.txt2023-01-16 11:47:28.456 11241100x800000000000000032998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.456{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\USOPrivate\cHpfiXA9s.README.txt2023-01-16 11:47:28.456 11241100x800000000000000032997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.221{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\USOShared\Logs\User\cHpfiXA9s.README.txt2023-01-16 11:47:28.221 11241100x800000000000000032996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.025{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000032995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:28.024{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7684AA19A6CCE8D766CF3D4837585B90,SHA256=B73DF30FD1467E13E6FC856C7AB314B49620EA285A365AFD46F37133133C03FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:28.381{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356FA70EC155A4BA471734DC0BEB23AE,SHA256=829E4EF36AC69C6C2BC337A26E0D9668089173AD0DF0EBE40E674F5830B38619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:28.350{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=750057A90160F237AB639070609D3BAE,SHA256=2809418D4ABB76129905D08AB7C61AE1E7D2F2939D23A485FDC65096C8A207CE,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:29.808{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.808{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.808{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.808{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.808{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.808{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.793{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.793{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.793{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.793{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.793{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.793{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:29.579{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.579{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.579{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.579{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.579{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.579{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.563{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.563{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.563{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.563{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.563{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.563{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:29.352{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.352{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.352{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.352{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.352{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.352{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.347{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.332{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.332{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.332{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.332{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.332{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 10341000x800000000000000033108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000033107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000033106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 11241100x800000000000000033105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.146{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.145{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6219C16CBF1DFB005C45207E2403AAE6,SHA256=88CC1EF239F90494D06472DF9FC96D2517C671D78B16CCDA9F3BD14F6BE38106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.131{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\termination\respondent-20230116111158-000MD5=BD2559E65797630422DC199F08D31179,SHA256=BFA5D268AF768AFE460EF9EA9158E828EA3C2BA05F1E4989C6E9A71CDAC45AC1,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:29.131{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.131{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.131{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.130{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.130{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:29.130{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 11241100x800000000000000033096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.128{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\termination\tmp\respondent-20230116111158-0002023-01-16 11:47:29.128 11241100x800000000000000033095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.127{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\termination\tmp\surveyor-20230116111156-0002023-01-16 11:47:29.126 13241300x800000000000000033094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.126{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AmazonSSMAgent\StartDWORD (0x00000004) 13241300x800000000000000033093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.126{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AmazonSSMAgent\DeleteFlagDWORD (0x00000001) 10341000x800000000000000033092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.116{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3951-63C5-AD05-00000000AF02}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.116{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000033090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.115{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.115{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.115{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.115{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.115{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-3951-63C5-AD05-00000000AF02}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.114{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3951-63C5-AD05-00000000AF02}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.113{FCCA13C7-3951-63C5-AD05-00000000AF02}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000033083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.096{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.096{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.096{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.096{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:29.096{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000033078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.095{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Logs\cHpfiXA9s.README.txt2023-01-16 11:47:29.095 11241100x800000000000000033077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.095{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Packages\cHpfiXA9s.README.txt2023-01-16 11:47:29.094 11241100x800000000000000033076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.091{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\runtimeconfig\cHpfiXA9s.README.txt2023-01-16 11:47:29.090 11241100x800000000000000033075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.084{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent\3.1.1856.0\cHpfiXA9s.README.txt2023-01-16 11:47:29.084 11241100x800000000000000033074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.084{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent\cHpfiXA9s.README.txt2023-01-16 11:47:29.083 11241100x800000000000000033073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.082{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent-updater\3.2.419.0\cHpfiXA9s.README.txt2023-01-16 11:47:29.081 11241100x800000000000000033072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.081{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent-updater\cHpfiXA9s.README.txt2023-01-16 11:47:29.081 11241100x800000000000000033071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.077{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Update\cHpfiXA9s.README.txt2023-01-16 11:47:29.076 11241100x800000000000000033070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.075{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\cHpfiXA9s.README.txt2023-01-16 11:47:29.075 11241100x800000000000000033069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.075{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\Tools\cHpfiXA9s.README.txt2023-01-16 11:47:29.074 11241100x800000000000000033068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.074{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\cHpfiXA9s.README.txt2023-01-16 11:47:29.073 11241100x800000000000000033067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.072{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\ansible\log\cHpfiXA9s.README.txt2023-01-16 11:47:29.072 11241100x800000000000000033066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.072{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\ansible\cHpfiXA9s.README.txt2023-01-16 11:47:29.072 11241100x800000000000000033065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.067{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\.chocolatey\7zip.22.1\cHpfiXA9s.README.txt2023-01-16 11:47:29.066 11241100x800000000000000033064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.057{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\.chocolatey\7zip.install.22.1\cHpfiXA9s.README.txt2023-01-16 11:47:29.057 11241100x800000000000000033063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.051{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\.chocolatey\chocolatey-compatibility.extension.1.0.0\cHpfiXA9s.README.txt2023-01-16 11:47:29.050 11241100x800000000000000033062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.045{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\.chocolatey\chocolatey-core.extension.1.4.0\cHpfiXA9s.README.txt2023-01-16 11:47:29.044 11241100x800000000000000033061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.036{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\.chocolatey\Firefox.108.0.2\cHpfiXA9s.README.txt2023-01-16 11:47:29.036 11241100x800000000000000033060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.029{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\.chocolatey\git.2.39.0\cHpfiXA9s.README.txt2023-01-16 11:47:29.029 11241100x800000000000000033059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.018{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\.chocolatey\git.install.2.39.0\cHpfiXA9s.README.txt2023-01-16 11:47:29.018 11241100x800000000000000033058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:29.009{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\chocolatey\.chocolatey\notepadplusplus.8.4.8\cHpfiXA9s.README.txt2023-01-16 11:47:29.008 10341000x800000000000000014076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:29.978{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:29.971{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:29.958{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:29.948{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:29.934{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:29.927{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:29.925{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000014069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:29.371{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7866A74F3F178FEDC4D01FFB79595A49,SHA256=D5735C5F29A12506100C9D621B791F4968CAC19533D2601BC2D3154C300C9DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.813{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A0BA1EC35241465DA7BB3AC8FC75C2,SHA256=F192DEE4B9ED362C6B79C9E81E67549AF60FB538FB4B0AA631E59EBA29BB7C6D,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:30.939{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.939{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.939{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.939{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.939{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.939{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:30.924{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.924{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.924{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.924{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.924{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.924{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:30.714{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.714{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.714{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.714{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.714{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.714{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:30.698{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.698{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.698{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.698{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.698{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.698{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:30.483{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.483{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.483{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.483{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.483{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.483{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:30.468{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.468{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.468{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.468{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.468{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.468{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:30.252{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.252{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.252{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.252{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.252{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.252{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:30.247{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.233{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.233{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.233{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.233{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.233{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000033161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:30.177{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:30.177{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983F5EF4B489B18EE6FEADEC66C97F68,SHA256=F5695D1AE12E683E5956432B960C13717F24AAC950488FD5681C11DBBDC4F54A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:30.175{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 11:10:32.859 23542300x800000000000000033158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:30.175{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=490466A7DF397E17B6F14548EC0841ED,SHA256=68CBA9D5DD0D3235E916DEC4813E1A81871A7FA41F8EA663FCC1068EA007F568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:30.129{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\termination\surveyor-20230116111156-000MD5=13B075665B362AEBAA962867709D6032,SHA256=F5617938160195F3C9D1D3B39A265732908A85CDCFD490A7902131616AB6230D,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:30.032{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.032{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.032{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.032{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.032{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:30.032{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:30.027{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.013{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.013{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.013{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.013{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:30.013{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 10341000x800000000000000014100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.137{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.135{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.133{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.132{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.127{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.123{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.122{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.121{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.120{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.118{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.116{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.115{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.112{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.104{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.102{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.096{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.088{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.070{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.067{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.054{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.047{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.039{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.024{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:30.016{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000014102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:31.868{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA00009A183CE9ECDA82E3234F2D8A82,SHA256=B99DCB7BB1F3A47AA56DDE5A4D2FCA084459052349228E7535984A26BC58BFAF,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:31.840{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.840{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.840{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.840{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.840{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.840{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:31.825{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.825{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.825{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.825{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.825{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.825{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:31.619{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.619{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.619{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.619{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.619{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.619{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:31.614{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.601{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.600{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.600{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.600{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 13241300x800000000000000033236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.600{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 12241200x800000000000000033235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:31.394{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.394{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.394{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.394{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.394{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.394{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:31.378{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.378{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.378{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.377{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.377{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.377{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000033223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:31.215{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:31.215{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FA81624371C8D698E44EA1C7F39C7E,SHA256=F77515498D82005973BE7E6FDD624BC5E7FE6B0F9CD089BE9BECB5F1A9E5B1BA,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:31.162{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.162{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.162{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.162{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.162{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:31.162{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:31.145{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.145{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.145{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.145{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.145{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:31.145{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 23542300x800000000000000014104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:32.954{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A4941FB57BE46C1F8405E981B0F9ED,SHA256=B20527FB05EC27D384C0E5200E2298A930A88C276838BC81A68E83EEB88D21B9,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:32.978{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.978{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.978{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.978{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.978{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.978{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:32.963{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.963{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.963{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.963{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.963{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.963{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:32.761{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.761{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.761{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.761{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.761{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.761{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:32.756{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.741{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.741{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.740{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.740{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.740{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:32.529{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.529{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.529{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.529{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.529{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.529{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:32.529{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.514{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.514{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.514{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.514{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.514{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000033285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:32.389{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:32.389{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0062BDB15076E167608C634EF92531CD,SHA256=9E72323DDD03E4B07B2E3CFD762FF4B04106E3BB0B63E71ECCB6E0CAB76D4B35,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:32.304{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.304{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.304{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.304{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.304{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.304{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:32.298{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.276{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.276{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.276{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.276{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.276{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 354300x800000000000000014103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:29.490{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49990-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 12241200x800000000000000033271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:32.065{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.065{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.065{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.065{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.065{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:32.065{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:32.061{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.046{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.046{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.046{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.046{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:32.046{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:33.912{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.912{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.912{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.912{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.912{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.912{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:33.896{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.887{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.887{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.887{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.887{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.887{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:33.667{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.667{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.667{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.667{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.667{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.667{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:33.651{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.651{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.651{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.651{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.651{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.651{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000033347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:33.542{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:33.542{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3DDED289A3A6BB8B482F87988E472A,SHA256=65DB6DA044E1E50394FF608E605AEC54A096C076659B2213DEC1F0F4C18E5A90,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:33.432{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.432{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.432{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.432{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.432{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.432{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:33.432{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.417{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.417{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.417{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.417{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.417{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:33.212{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.212{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.212{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.212{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.212{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:33.212{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:33.207{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.193{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.193{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.193{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.193{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:33.193{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:34.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.821{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.821{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.806{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.806{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.806{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.806{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.806{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000033410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.671{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.671{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BF0C6C2E0D2E4A4AAF16257BC01380,SHA256=6C0788CD1105F40A9B8B358632B5352BB7B8F5A17F4E40F48564C97D88B623CD,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:34.592{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.592{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.592{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.592{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.592{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.592{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.592{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.576{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.576{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.576{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.576{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.576{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 23542300x800000000000000014105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:34.057{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560E89ED4B6404A800612A9BFA38D2CA,SHA256=A8F1315214B3146DDAC3650E4C900288DA6EFDC6F23D9E690A741952917BDB65,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:34.362{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.362{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.362{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.362{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.362{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.362{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.362{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.352{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.352{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.352{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.352{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.352{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:34.142{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.142{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.142{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.142{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.142{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:34.142{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.126{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.126{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.126{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.126{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.126{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:34.126{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 354300x800000000000000033372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:30.602{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56872-false10.0.1.12-8000- 13241300x800000000000000033479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.994{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.994{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.994{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.994{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.994{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000033474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:35.900{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 11:10:32.859 23542300x800000000000000033473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:35.900{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=524CF7A7BE15D73FBD49FE9E3034892C,SHA256=6FE5E08A89D4BF248DDC7F905E1F50D52634A310B5F182C3A1D6EFA85332D7F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:35.869{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:35.869{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5A7D019842FAC4856BF6851FA44032,SHA256=15594885E63CC5463DDA9933581EF2E604A98CDF0FB4AF971B82378DAEB1F339,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:35.775{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.775{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.775{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.775{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.775{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.775{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:35.759{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.759{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.759{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.759{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.759{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.759{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 23542300x800000000000000014106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:35.140{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF37BA7DEFF5D88AD9F37D1CD5C64E4,SHA256=B2D7AB03954AEF3EAFDC4C82250921BB30AE0DAADE4D264B3C46AE1B84E489B1,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:35.541{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.541{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.541{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.541{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.541{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.541{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:35.525{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.525{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.525{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.525{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.525{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.525{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:35.307{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.307{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.307{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.307{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.307{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.307{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:35.291{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.291{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.291{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.291{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.291{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.291{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:35.057{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.057{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.057{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.057{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.057{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:35.057{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:35.057{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.040{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.040{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.040{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.040{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:35.040{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000033547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.855{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\cHpfiXA9s.README.txt2023-01-16 11:47:36.855 11241100x800000000000000033546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.840{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\EC2-Windows\Launch\Module\cHpfiXA9s.README.txt2023-01-16 11:47:36.840 11241100x800000000000000033545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.824{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\cHpfiXA9s.README.txt2023-01-16 11:47:36.824 11241100x800000000000000033544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.809{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\EC2-Windows\Launch\Settings\cHpfiXA9s.README.txt2023-01-16 11:47:36.809 11241100x800000000000000033543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.793{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep\cHpfiXA9s.README.txt2023-01-16 11:47:36.793 23542300x800000000000000014107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:36.245{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4C03DEFE3A5C6C4724377113157914,SHA256=45361BD512DD2E7E013748CE52054905C74E5CECDA1BECA031EF82A28CE4FBDD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.762{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\EC2-Windows\Launch\cHpfiXA9s.README.txt2023-01-16 11:47:36.762 11241100x800000000000000033541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.762{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\EC2-Windows\cHpfiXA9s.README.txt2023-01-16 11:47:36.762 11241100x800000000000000033540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.762{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Daemons\cHpfiXA9s.README.txt2023-01-16 11:47:36.762 11241100x800000000000000033539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.746{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Download\cHpfiXA9s.README.txt2023-01-16 11:47:36.746 11241100x800000000000000033538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.746{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\cHpfiXA9s.README.txt2023-01-16 11:47:36.746 11241100x800000000000000033537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.746{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\cHpfiXA9s.README.txt2023-01-16 11:47:36.746 11241100x800000000000000033536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.730{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\document\orchestration\629acbc0-a9b5-45b6-b92a-4ff39066e85b\awsrunPowerShellScript\0.awsrunPowerShellScript\cHpfiXA9s.README.txt2023-01-16 11:47:36.730 11241100x800000000000000033535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.730{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\document\orchestration\629acbc0-a9b5-45b6-b92a-4ff39066e85b\awsrunPowerShellScript\cHpfiXA9s.README.txt2023-01-16 11:47:36.730 11241100x800000000000000033534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.730{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\document\orchestration\629acbc0-a9b5-45b6-b92a-4ff39066e85b\cHpfiXA9s.README.txt2023-01-16 11:47:36.730 11241100x800000000000000033533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.730{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\document\orchestration\7941a93b-4b4a-4330-9c32-6c498342aa0e\awsrunPowerShellScript\RunSysprep\cHpfiXA9s.README.txt2023-01-16 11:47:36.730 11241100x800000000000000033532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.730{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\document\orchestration\7941a93b-4b4a-4330-9c32-6c498342aa0e\awsrunPowerShellScript\cHpfiXA9s.README.txt2023-01-16 11:47:36.730 11241100x800000000000000033531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\document\orchestration\7941a93b-4b4a-4330-9c32-6c498342aa0e\RunSysprep\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\document\orchestration\7941a93b-4b4a-4330-9c32-6c498342aa0e\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\document\orchestration\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\document\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\idempotency\SendCommand\3b2fd8ad-c256-450a-9ff8-b57a8e0eff29\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\idempotency\SendCommand\629acbc0-a9b5-45b6-b92a-4ff39066e85b\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\idempotency\SendCommand\7941a93b-4b4a-4330-9c32-6c498342aa0e\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\idempotency\SendCommand\8cdcc1f3-348a-41b9-a7f1-61ab6987fd47\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\idempotency\SendCommand\cba00428-62a2-448a-a516-74b7808e6f3d\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\idempotency\SendCommand\efc879f3-01c6-4032-b51b-1ff9a0a91c05\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\idempotency\SendCommand\ffd71fed-24fa-45dc-88d1-89759eb4c443\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\idempotency\SendCommand\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\idempotency\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.715{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\i-072afca23b5ec3b7c\cHpfiXA9s.README.txt2023-01-16 11:47:36.715 11241100x800000000000000033517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.700{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\InstanceData\cHpfiXA9s.README.txt2023-01-16 11:47:36.700 11241100x800000000000000033516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.700{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\LocalCommands\Completed\cHpfiXA9s.README.txt2023-01-16 11:47:36.700 11241100x800000000000000033515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.700{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\LocalCommands\cHpfiXA9s.README.txt2023-01-16 11:47:36.700 11241100x800000000000000033514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.700{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Locks\Packages\cHpfiXA9s.README.txt2023-01-16 11:47:36.700 11241100x800000000000000033513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.700{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Locks\cHpfiXA9s.README.txt2023-01-16 11:47:36.700 11241100x800000000000000033512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.700{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\SSM\Logs\audits\cHpfiXA9s.README.txt2023-01-16 11:47:36.700 12241200x800000000000000033511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:36.658{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AmazonSSMAgent 12241200x800000000000000033510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:36.467{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.467{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.467{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.467{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.467{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.467{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.467{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:36.451{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:36.451{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:36.451{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:36.451{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:36.451{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:36.242{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.242{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.242{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.242{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.242{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.242{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.237{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:36.220{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:36.220{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:36.220{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:36.220{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:36.220{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 12241200x800000000000000033486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:36.009{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.009{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.009{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.009{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.009{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:36.009{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:36.009{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 11241100x800000000000000033637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.992{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\System\msadc\cHpfiXA9s.README.txt2023-01-16 11:47:37.992 11241100x800000000000000033636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.977{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\System\Ole DB\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:37.977 11241100x800000000000000033635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.836{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\System\Ole DB\cHpfiXA9s.README.txt2023-01-16 11:47:37.836 354300x800000000000000014109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:34.553{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49991-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:37.333{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B166232CB1524D0FA09CBED0BA53C08B,SHA256=9258D461B28B89512923FEAD8204E061E186672B591A902493570329D409A24E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.789{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\System\cHpfiXA9s.README.txt2023-01-16 11:47:37.789 11241100x800000000000000033633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.789{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\cHpfiXA9s.README.txt2023-01-16 11:47:37.789 11241100x800000000000000033632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.789{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Internet Explorer\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:37.789 11241100x800000000000000033631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.789{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Internet Explorer\images\cHpfiXA9s.README.txt2023-01-16 11:47:37.789 11241100x800000000000000033630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.789{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Internet Explorer\SIGNUP\cHpfiXA9s.README.txt2023-01-16 11:47:37.789 11241100x800000000000000033629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Internet Explorer\cHpfiXA9s.README.txt2023-01-16 11:47:37.742 11241100x800000000000000033628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Microsoft.NET\RedistList\cHpfiXA9s.README.txt2023-01-16 11:47:37.742 11241100x800000000000000033627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.742{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-16 11:10:38.139 11241100x800000000000000033626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.742{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Microsoft.NET\cHpfiXA9s.README.txt2023-01-16 11:47:37.742 23542300x800000000000000033625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.742{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5733EDB71486CF61AC073BC650934029,SHA256=A4A18A101596FBF64412E94FC3545183F2CD4A640D2E0A811B7B4A24E5266866,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.727{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Mozilla Maintenance Service\logs\cHpfiXA9s.README.txt2023-01-16 11:47:37.727 11241100x800000000000000033623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.727{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Mozilla Maintenance Service\cHpfiXA9s.README.txt2023-01-16 11:47:37.727 11241100x800000000000000033622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.727{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Uninstall Information\cHpfiXA9s.README.txt2023-01-16 11:47:37.727 11241100x800000000000000033621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.727{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Mail\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:37.727 11241100x800000000000000033620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.680{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Mail\cHpfiXA9s.README.txt2023-01-16 11:47:37.680 11241100x800000000000000033619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.664{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Media Player\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:37.664 11241100x800000000000000033618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.649{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Media Player\Media Renderer\cHpfiXA9s.README.txt2023-01-16 11:47:37.649 11241100x800000000000000033617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.649{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Media Player\Network Sharing\cHpfiXA9s.README.txt2023-01-16 11:47:37.649 11241100x800000000000000033616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.633{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Media Player\Skins\cHpfiXA9s.README.txt2023-01-16 11:47:37.633 11241100x800000000000000033615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.633{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Media Player\Visualizations\cHpfiXA9s.README.txt2023-01-16 11:47:37.633 11241100x800000000000000033614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.617{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Media Player\cHpfiXA9s.README.txt2023-01-16 11:47:37.617 11241100x800000000000000033613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.602{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Multimedia Platform\cHpfiXA9s.README.txt2023-01-16 11:47:37.602 11241100x800000000000000033612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.602{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows NT\Accessories\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:37.602 11241100x800000000000000033611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.602{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows NT\Accessories\cHpfiXA9s.README.txt2023-01-16 11:47:37.602 11241100x800000000000000033610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.602{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows NT\TableTextService\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:37.602 11241100x800000000000000033609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.586{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows NT\TableTextService\cHpfiXA9s.README.txt2023-01-16 11:47:37.586 11241100x800000000000000033608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.586{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows NT\cHpfiXA9s.README.txt2023-01-16 11:47:37.570 11241100x800000000000000033607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.555{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Photo Viewer\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:37.555 11241100x800000000000000033606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.539{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Photo Viewer\cHpfiXA9s.README.txt2023-01-16 11:47:37.539 11241100x800000000000000033605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.539{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\database_76D0_D90_D00D_582F\fsrtmp.log2023-01-16 11:08:31.077 11241100x800000000000000033604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.539{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Windows Portable Devices\cHpfiXA9s.README.txt2023-01-16 11:47:37.539 11241100x800000000000000033603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.539{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\cHpfiXA9s.README.txt2023-01-16 11:47:37.539 11241100x800000000000000033602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.539{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\cHpfiXA9s.README.txt2023-01-16 11:47:37.539 11241100x800000000000000033601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.539{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:37.539 11241100x800000000000000033600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.523{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\cHpfiXA9s.README.txt2023-01-16 11:47:37.523 11241100x800000000000000033599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.523{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:37.523 11241100x800000000000000033598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.523{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:37.523 11241100x800000000000000033597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.523{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\cHpfiXA9s.README.txt2023-01-16 11:47:37.523 11241100x800000000000000033596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.523{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:37.523 11241100x800000000000000033595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.523{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\cHpfiXA9s.README.txt2023-01-16 11:47:37.523 11241100x800000000000000033594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.523{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:37.523 11241100x800000000000000033593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.508{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\cHpfiXA9s.README.txt2023-01-16 11:47:37.508 11241100x800000000000000033592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.508{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:37.508 11241100x800000000000000033591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.508{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\cHpfiXA9s.README.txt2023-01-16 11:47:37.508 11241100x800000000000000033590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.508{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\cHpfiXA9s.README.txt2023-01-16 11:47:37.508 11241100x800000000000000033589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.508{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:37.508 11241100x800000000000000033588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.508{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\cHpfiXA9s.README.txt2023-01-16 11:47:37.508 11241100x800000000000000033587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.508{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:37.508 11241100x800000000000000033586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.508{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\cHpfiXA9s.README.txt2023-01-16 11:47:37.508 11241100x800000000000000033585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.508{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\cHpfiXA9s.README.txt2023-01-16 11:47:37.508 11241100x800000000000000033584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.492{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\cHpfiXA9s.README.txt2023-01-16 11:47:37.492 11241100x800000000000000033583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.492{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\cHpfiXA9s.README.txt2023-01-16 11:47:37.492 11241100x800000000000000033582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.477{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\cHpfiXA9s.README.txt2023-01-16 11:47:37.477 11241100x800000000000000033581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.446{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\cHpfiXA9s.README.txt2023-01-16 11:47:37.446 11241100x800000000000000033580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.445{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\cHpfiXA9s.README.txt2023-01-16 11:47:37.445 11241100x800000000000000033579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.442{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\cHpfiXA9s.README.txt2023-01-16 11:47:37.441 11241100x800000000000000033578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.421{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:37.421 11241100x800000000000000033577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.414{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\cHpfiXA9s.README.txt2023-01-16 11:47:37.414 11241100x800000000000000033576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.411{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\cHpfiXA9s.README.txt2023-01-16 11:47:37.411 11241100x800000000000000033575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.410{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\cHpfiXA9s.README.txt2023-01-16 11:47:37.410 11241100x800000000000000033574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.328{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\cHpfiXA9s.README.txt2023-01-16 11:47:37.327 354300x800000000000000033573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.537{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local58504- 354300x800000000000000033572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.537{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local58504-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local53domain 354300x800000000000000033571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.530{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56874-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local49666- 354300x800000000000000033570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.530{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56874-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local49666- 354300x800000000000000033569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:33.688{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56873-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local135epmap 354300x800000000000000033568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:33.688{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56873-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local135epmap 11241100x800000000000000033567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.179{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\cHpfiXA9s.README.txt2023-01-16 11:47:37.179 11241100x800000000000000033566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.132{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\cHpfiXA9s.README.txt2023-01-16 11:47:37.132 11241100x800000000000000033565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.101{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\cHpfiXA9s.README.txt2023-01-16 11:47:37.101 11241100x800000000000000033564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.101{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\cHpfiXA9s.README.txt2023-01-16 11:47:37.101 11241100x800000000000000033563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.101{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 11:11:01.844 23542300x800000000000000033562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.101{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB0E95AC4205945F397C0432C02C1ADF,SHA256=B3FC7158E9408F25FE7CDD27D49AC9D35042E64FF1E1F8CBE0DA26C7B4608364,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.085{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:37.085 11241100x800000000000000033560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.085{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\cHpfiXA9s.README.txt2023-01-16 11:47:37.085 11241100x800000000000000033559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.085{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\cHpfiXA9s.README.txt2023-01-16 11:47:37.085 11241100x800000000000000033558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.085{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\Modules\cHpfiXA9s.README.txt2023-01-16 11:47:37.085 11241100x800000000000000033557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.070{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\WindowsPowerShell\cHpfiXA9s.README.txt2023-01-16 11:47:37.070 11241100x800000000000000033556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.070{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\cHpfiXA9s.README.txt2023-01-16 11:47:37.070 11241100x800000000000000033555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.070{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\AWSUpdateWindowsInstance\e2fd63dd-851d-46da-b928-26e6039f2283\Start-AwsUwiSysprep\cHpfiXA9s.README.txt2023-01-16 11:47:37.070 11241100x800000000000000033554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.070{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\AWSUpdateWindowsInstance\e2fd63dd-851d-46da-b928-26e6039f2283\cHpfiXA9s.README.txt2023-01-16 11:47:37.070 11241100x800000000000000033553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.070{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\AWSUpdateWindowsInstance\cHpfiXA9s.README.txt2023-01-16 11:47:37.070 11241100x800000000000000033552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.060{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\EC2-Windows\Launch\Config\cHpfiXA9s.README.txt2023-01-16 11:47:37.060 11241100x800000000000000033551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.044{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\EC2-Windows\Launch\Library\cHpfiXA9s.README.txt2023-01-16 11:47:37.044 11241100x800000000000000033550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.027{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\ProgramData\Amazon\EC2-Windows\Launch\Log\cHpfiXA9s.README.txt2023-01-16 11:47:37.027 11241100x800000000000000033549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.027{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:37.027{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF604BD9CAC9AC38D74898BAB6F2532A,SHA256=4C03206991DD766BE5A9BAA78A941C826FC9EF7F616D2BC1DFF2060686F9F48B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.896{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.896{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89D287349596700B9C2879EC699EDD8,SHA256=30F0AC0FF467C40354AA7419412268EF5A9F80F3EAA4CAA06CFB2185D8EBDFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:38.416{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB6FF09C6EE93EBB4B743B4532492E7,SHA256=376B9EC8C9C2AE437581BF82A7C21BE274C573CD3A8D6D054219A03FBDD39443,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.354{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS Tools\PowerShell\AWSPowerShell\cHpfiXA9s.README.txt2023-01-16 11:47:38.354 11241100x800000000000000033662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.353{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS Tools\PowerShell\cHpfiXA9s.README.txt2023-01-16 11:47:38.353 11241100x800000000000000033661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.350{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS Tools\ThirdPartySource\cHpfiXA9s.README.txt2023-01-16 11:47:38.349 11241100x800000000000000033660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.349{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS Tools\cHpfiXA9s.README.txt2023-01-16 11:47:38.349 11241100x800000000000000033659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.346{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\DAO\cHpfiXA9s.README.txt2023-01-16 11:47:38.346 11241100x800000000000000033658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.326{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:38.326 11241100x800000000000000033657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.325{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\cHpfiXA9s.README.txt2023-01-16 11:47:38.324 354300x800000000000000033656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.538{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local50000- 354300x800000000000000033655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:34.538{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local50000-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local53domain 11241100x800000000000000033654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.206{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\cHpfiXA9s.README.txt2023-01-16 11:47:38.206 11241100x800000000000000033653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.206{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 11241100x800000000000000033652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.206{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:38.206 23542300x800000000000000033651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.206{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B042A19B61AFA67015B1E2C572E4FB,SHA256=C049B19B56765E7E603C006D31881A8EBBECC3241364DADB0B36D80EFB3345FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.206{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\cHpfiXA9s.README.txt2023-01-16 11:47:38.206 11241100x800000000000000033649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.144{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\cHpfiXA9s.README.txt2023-01-16 11:47:38.144 11241100x800000000000000033648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.144{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:38.144 11241100x800000000000000033647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.144{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\cHpfiXA9s.README.txt2023-01-16 11:47:38.144 11241100x800000000000000033646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.144{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:38.144 11241100x800000000000000033645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.144{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\cHpfiXA9s.README.txt2023-01-16 11:47:38.144 11241100x800000000000000033644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.144{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VGX\cHpfiXA9s.README.txt2023-01-16 11:47:38.144 11241100x800000000000000033643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.144{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Microsoft Shared\cHpfiXA9s.README.txt2023-01-16 11:47:38.144 11241100x800000000000000033642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.113{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\Services\cHpfiXA9s.README.txt2023-01-16 11:47:38.113 11241100x800000000000000033641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.097{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\System\ado\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:38.097 11241100x800000000000000033640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.056{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\System\ado\cHpfiXA9s.README.txt2023-01-16 11:47:38.056 11241100x800000000000000033639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.040{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\System\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:38.040 11241100x800000000000000033638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:38.040{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\Common Files\System\msadc\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:38.040 11241100x800000000000000033668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:39.958{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:39.958{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2F95F67536929EA0BBF86B62B7338E,SHA256=B8AA35147C8F6D77F181FEC20265FA721C5CA51B3D42E336C3898A7192A0EA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:39.503{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1011D0FA19B33B710DFD3E33EA1957,SHA256=7B04762E3AF9404F7C3044AE5DBE07E6E8AA294B3E69432EF342EBF10DCAE4C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:35.689{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56875-false10.0.1.12-8000- 23542300x800000000000000014112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:40.577{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEFBC552D09B7E8B4ABE2E65D08F802,SHA256=DB033E0A711EFCE982B216AEDEB6B239336992C0B97642F68F4581CFE8596B79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.755{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\bin\Net45\cHpfiXA9s.README.txt2023-01-16 11:47:40.755 11241100x800000000000000033682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.739{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\bin\cHpfiXA9s.README.txt2023-01-16 11:47:40.739 11241100x800000000000000033681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.708{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\past-releases\Version-1\cHpfiXA9s.README.txt2023-01-16 11:47:40.692 11241100x800000000000000033680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.677{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\past-releases\Version-2\Net35\cHpfiXA9s.README.txt2023-01-16 11:47:40.677 11241100x800000000000000033679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.661{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\past-releases\Version-2\Net45\cHpfiXA9s.README.txt2023-01-16 11:47:40.661 11241100x800000000000000033678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.661{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\past-releases\Version-2\Portable (Windows Store 8.1 and Windows Phone 8.1)\cHpfiXA9s.README.txt2023-01-16 11:47:40.661 11241100x800000000000000033677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.645{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\past-releases\Version-2\WindowsPhone8\cHpfiXA9s.README.txt2023-01-16 11:47:40.645 11241100x800000000000000033676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.630{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\past-releases\Version-2\WindowsRT\cHpfiXA9s.README.txt2023-01-16 11:47:40.630 11241100x800000000000000033675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.630{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\past-releases\Version-2\cHpfiXA9s.README.txt2023-01-16 11:47:40.630 11241100x800000000000000033674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.630{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\past-releases\cHpfiXA9s.README.txt2023-01-16 11:47:40.630 11241100x800000000000000033673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.630{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\cHpfiXA9s.README.txt2023-01-16 11:47:40.630 11241100x800000000000000033672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.630{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS Tools\CodeCommit\cHpfiXA9s.README.txt2023-01-16 11:47:40.630 11241100x800000000000000033671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.614{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS Tools\Deployment Tool\Samples\cHpfiXA9s.README.txt2023-01-16 11:47:40.614 11241100x800000000000000033670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.479{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS Tools\Deployment Tool\cHpfiXA9s.README.txt2023-01-16 11:47:40.479 11241100x800000000000000033669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:40.441{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS Tools\Documentation\cHpfiXA9s.README.txt2023-01-16 11:47:40.440 23542300x800000000000000014113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:41.670{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D362C2B54F4BEE1CE8C01BB5BE39D9,SHA256=BB7C056036DC8005DFF2DE905BBD21F8E41C4D597B6079B1E83F3C62C31DC8C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:41.036{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:41.036{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611B882F4EB46DEFE1D0C23E0D2AF4F1,SHA256=6B1009382F446F22BF344123411C8A1457089DC5C9647EB7ACC4E9EB526E4845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:42.753{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372596843E1A6F99DC0BB81D3371E192,SHA256=1B16B22796B87D8D2F88111B9E4B230069AF983C18E07AD445A17726575850DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.939{FCCA13C7-3386-63C5-9201-00000000AF02}29806300C:\Windows\system32\sihost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.627{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.625{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.262{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.258{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.256{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.232{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.226{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.210{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.205{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.160{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.145{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 11241100x800000000000000033689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.101{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 10341000x800000000000000033688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.101{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000033687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.101{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DA6EC6D2B60FEBB12FA170F49BD5DE,SHA256=E462EB3D419F85AED7B7692CED13885F067297D06B2271466D3C11255D330F57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:42.099{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000014116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:43.842{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CFCAF2ED5007739270509A17BF15B1,SHA256=7F525A2850365B95DB1B5C4E7458CC3660669428637C552D6E377B7605E84B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:43.811{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0A4C40ADC640E1741B68E8C69AF41704,SHA256=8A086F0DFBFFB0365B108D4569D503494648984C1266501F9291DCD21958B564,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.977{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-16 11:11:42.170 23542300x800000000000000033723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.977{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F5309866EF2EA20C173F8DDC2909D89D,SHA256=876A361AB2344CBAB740B63DB9A97AAB3E3BDA93BA8523B17E4EE87EAB53F047,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.558{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.558{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F61656E587EC3BB228AFA9A73F3B4C,SHA256=2E9E6C13C44243B4622398A0FB3B42C3C0D19DEA5766CDE8A49C4BA11D032705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.138{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000033719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.138{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000033718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.138{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000033717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.138{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000033716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.138{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000033715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.138{FCCA13C7-3386-63C5-9201-00000000AF02}29806300C:\Windows\system32\sihost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.090{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000033713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.090{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000033712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.090{FCCA13C7-30ED-63C5-0C00-00000000AF02}848876C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000033711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.090{FCCA13C7-30FB-63C5-2900-00000000AF02}26605824C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\tileobjserver.dll+bdb2|c:\windows\system32\tileobjserver.dll+26bf2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000033710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:43.090{FCCA13C7-30FB-63C5-2900-00000000AF02}26605824C:\Windows\system32\svchost.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\tileobjserver.dll+bd5f|c:\windows\system32\tileobjserver.dll+26bf2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 23542300x800000000000000014118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:44.828{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F497E8EA28E676A7D21810B2EFF57C,SHA256=8E8A48559D4B0F864C76492DD30A53FFFCC9987876F17394511791B44DC550EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:44.674{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:44.673{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:44.670{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:44.668{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:44.664{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 354300x800000000000000033727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:41.505{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56876-false10.0.1.12-8000- 11241100x800000000000000033726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:44.233{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:44.233{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE303F699FA7297ACB08F3C2843832EA,SHA256=D3FC526A05616E3CD84776319625EBBBF184958D5F959C773DE0476EB3440925,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:40.497{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49992-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:45.909{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AE1EA083640D23FD327EADC2C0FC57,SHA256=FB115FD28209097F24A8BD49A3F24026FA2DF9AAFC5D234BD80FD54D12F8907D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.581{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files (x86)\AWS SDK for .NET\bin\Net35\cHpfiXA9s.README.txt2023-01-16 11:47:45.581 11241100x800000000000000033754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.312{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.312{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B377776DD324139435695629F5D81D6F,SHA256=DCC16B178144A0C10D667FA015FC38F49433616900D2CD3A520EABB21A7CA4FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.279{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394E-63C5-AB05-00000000AF02}6544C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.278{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A505-00000000AF02}7032C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.277{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.276{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8A05-00000000AF02}348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.275{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3866-63C5-8905-00000000AF02}6612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.275{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.274{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.251{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.244{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.210{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.192{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.191{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.187{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.185{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.185{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.179{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000033733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:45.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 11241100x800000000000000033757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:46.276{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:46.276{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908473F8F1062446F3C019F846B19EE6,SHA256=BCB0F0971364A1E76E8343B1A751B23FBA1827B96E1CE817720DF6208993C21D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:47.717{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:47.717{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:47.717{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000033759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:47.353{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:47.353{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1230ED06E1B73814BF007A09BBEC9ABF,SHA256=429D7FCC099175498D6E42BE0020FE1A0DB976005EAF7386B4D0A8A3C405ACF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:46.999{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FC79A3CA31B8F8FE2DFE6DE5361296,SHA256=AE939EE4FA5693544C46DB269E60F016082CA2BD1DB661A24A4D8320CB09B874,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.494{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.494{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C8294A2C035170B5F94733EB4B8A63,SHA256=B12EF12F1540FD78A66BF5008FB040F955755B261054C7A08B8EDDB736FFD7F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:45.498{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49993-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:48.086{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E63C646480EA765569D61E4CE878791,SHA256=E04E47016793F5745DAFD9126B334D062BDB37E46F9E0FCCD610340F8BD33A8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:48.165{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000033791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:49.514{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:49.514{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8EC0C9FF3C390DF04E5A586BFE83CD,SHA256=99959285A88605CD29E56C661A0E8E684122E4466D6C1A2F6E33B78D7075D173,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:49.988{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:49.976{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:49.962{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:49.953{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:49.939{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:49.934{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:49.933{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000014123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:49.177{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1F34AD29DE34648FCD8E4494D0531A,SHA256=911EC9F34684C531EFE4C7E12725C32ABBC78DE2B53567FA0C72399DE92CAABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.449{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417D7148D9FB1754C120683EE41F531B,SHA256=02C50391A6D3B86BCEC1EC79F0AE2E2D6A02C4B035932CEBA0625AF08A3CAE21,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.954{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\cHpfiXA9s.README.txt2023-01-16 11:47:50.954 11241100x800000000000000033806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.876{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\cHpfiXA9s.README.txt2023-01-16 11:47:50.876 11241100x800000000000000033805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.845{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\cHpfiXA9s.README.txt2023-01-16 11:47:50.845 11241100x800000000000000033804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.845{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Pester\cHpfiXA9s.README.txt2023-01-16 11:47:50.845 11241100x800000000000000033803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.845{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:50.845 11241100x800000000000000033802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.829{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\cHpfiXA9s.README.txt2023-01-16 11:47:50.829 11241100x800000000000000033801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.829{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\PowerShellGet\cHpfiXA9s.README.txt2023-01-16 11:47:50.829 11241100x800000000000000033800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.829{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\en\cHpfiXA9s.README.txt2023-01-16 11:47:50.829 11241100x800000000000000033799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.814{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\cHpfiXA9s.README.txt2023-01-16 11:47:50.814 11241100x800000000000000033798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.814{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\PSReadline\cHpfiXA9s.README.txt2023-01-16 11:47:50.814 11241100x800000000000000033797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.814{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\cHpfiXA9s.README.txt2023-01-16 11:47:50.814 11241100x800000000000000033796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.814{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\cHpfiXA9s.README.txt2023-01-16 11:47:50.814 11241100x800000000000000033795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.814{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\cHpfiXA9s.README.txt2023-01-16 11:47:50.814 11241100x800000000000000033794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.589{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:50.588{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B158B3D743D58EFF14BE59CF0E635AAD,SHA256=E3E0429AAD6ECEF1C64BF583BD3937FCF781C20D7B4646084CDBB005C8474132,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:46.622{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local56877-false10.0.1.12-8000- 10341000x800000000000000014154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.116{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.115{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.113{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.110{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.107{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.105{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.105{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.103{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.101{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.095{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.094{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.092{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.089{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.083{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.081{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.076{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.070{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.057{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.054{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.043{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.037{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.030{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.023{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.017{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 23542300x800000000000000014156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:51.481{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70672A6F97B99AC94D4217BA092895B6,SHA256=6A0F5D73C97A5B5A76D72D1B718328F9D9895E62AA464D2DEAEA059D66FDBEEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.858{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.858{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.855{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8701-00000000AF02}3372C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.855{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8701-00000000AF02}3372C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.853{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0800-00000000AF02}492C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.853{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0800-00000000AF02}492C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.852{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0800-00000000AF02}492C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.851{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0800-00000000AF02}492C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.850{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0500-00000000AF02}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.850{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0500-00000000AF02}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 12241200x800000000000000033985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.845{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.845{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.845{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 10341000x800000000000000033982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.845{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 12241200x800000000000000033981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.845{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 10341000x800000000000000033980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.845{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 12241200x800000000000000033979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.845{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 10341000x800000000000000033978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.845{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 12241200x800000000000000033977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.845{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 10341000x800000000000000033976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.845{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.844{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.844{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.844{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.844{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.842{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.842{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.839{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.839{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.839{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.839{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.838{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.838{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.838{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.838{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.836{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.836{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.835{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.835{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.834{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.834{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000033955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.822{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000033954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.817{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.803{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.803{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.803{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.803{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.803{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000033948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.605{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 23542300x800000000000000033947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.604{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA65D224EFD009AAD84C6722726A571,SHA256=EE60D9913CA0B64470BF20399D0074493513A4699A19CB451A9F6EA7AC72F190,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000033946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.602{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.602{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.602{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.602{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.602{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.602{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 12241200x800000000000000033940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.600{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc 12241200x800000000000000033939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.600{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc\Security 12241200x800000000000000033938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.600{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc\Parameters 10341000x800000000000000033937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.574{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000033936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.571{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000033935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.564{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.544{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.544{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.543{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.543{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.543{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000033929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.532{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 11:11:01.844 11241100x800000000000000033928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.532{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-16 11:10:38.139 23542300x800000000000000033927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.532{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2718A48E64E95689737E749A919FDAD,SHA256=A774E7BCEDBE7AACB6F9400615B32840C3EA78DD05DA7E2104653256E4FCA8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.532{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=308C97DFE5E98D3C3FB65F791C17CD99,SHA256=B79F79CCEFC7D72F25D0FA57AEBCD45F2B3020586C1962DCB2AA741C52FAFD87,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.497{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\WMI\Security\d2112be4-cd15-5a9c-e38f-080a207e08d5Binary Data 11241100x800000000000000033924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.497{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 11:12:33.185 13241300x800000000000000033923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.497{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\WMI\Security\0e66e20b-b802-ba6a-9272-31199d0ed295Binary Data 23542300x800000000000000033922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.497{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3229B8FB4CF4C9663D6243001044C0CC,SHA256=08654E1D5B840EC9F5F9C0355B8D759611202D31694370E9B0FF089895F04CD5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.434{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\WMI\Security\c4a0a2bc-c743-5810-8ad4-2655a8ca2744Binary Data 13241300x800000000000000033920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.419{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\WMI\Security\d2112be4-cd15-5a9c-e38f-080a207e08d5Binary Data 11241100x800000000000000033919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.419{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 11:10:32.859 23542300x800000000000000033918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.419{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C9D0FF6F884FB3C70F10C9CFBFD1E053,SHA256=A9C2B60EFA339F315B3EE3EA07B018247FA9E3D5F6AA1B5805AF7D9026B39A24,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.419{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\WMI\Security\0e66e20b-b802-ba6a-9272-31199d0ed295Binary Data 13241300x800000000000000033916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.403{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}Binary Data 10341000x800000000000000033915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.403{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000033914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.403{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}Binary Data 13241300x800000000000000033913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.403{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}Binary Data 10341000x800000000000000033912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.403{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000033911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.403{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}Binary Data 13241300x800000000000000033910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.403{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}Binary Data 13241300x800000000000000033909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.403{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{7DCBAA14-871E-49FC-AD8D-7D6AFE58AB5A}Binary Data 12241200x800000000000000033908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc 12241200x800000000000000033907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Teredo 12241200x800000000000000033906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters 12241200x800000000000000033905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\Teredo 12241200x800000000000000033904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\Teredo\{B4ACEB91-3521-4F28-A5F8-434384469E9A} 12241200x800000000000000033903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr 12241200x800000000000000033902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap 12241200x800000000000000033901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{90ABCE23-305A-4BDE-AA39-4FFDA7413134} 12241200x800000000000000033900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{830D2A33-975A-40DF-BD99-93ECD5F722C4} 12241200x800000000000000033899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\IPHTTPS 12241200x800000000000000033898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\HomeAccess 12241200x800000000000000033897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\EtherUdp 12241200x800000000000000033896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest 12241200x800000000000000033895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Interfaces 12241200x800000000000000033894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\DaMultisite 12241200x800000000000000033893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.356{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\config 13241300x800000000000000033892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.356{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemHKLM\System\CurrentControlSet\Enum\SWD\IP_TUNNEL_VBUS\IP_TUNNEL_DEVICE_ROOT\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\(Default)Binary Data 13241300x800000000000000033891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\WMI\Security\c4a0a2bc-c743-5810-8ad4-2655a8ca2744Binary Data 13241300x800000000000000033890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{830D2A33-975A-40DF-BD99-93ECD5F722C4}\DeviceInstancePathSWD\IP_TUNNEL_VBUS\ISATAP_1 13241300x800000000000000033889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{830D2A33-975A-40DF-BD99-93ECD5F722C4}\ReusableSpecificNameisatap.us-east-2.compute.internal 13241300x800000000000000033888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{830D2A33-975A-40DF-BD99-93ECD5F722C4}\DefunctTimestampQWORD (0x00000000-0x63c53967) 13241300x800000000000000033887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{830D2A33-975A-40DF-BD99-93ECD5F722C4}\ReusableTypeDWORD (0x00000002) 13241300x800000000000000033886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{830D2A33-975A-40DF-BD99-93ECD5F722C4}\InterfaceNameReusable ISATAP Interface {830D2A33-975A-40DF-BD99-93ECD5F722C4} 13241300x800000000000000033885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemHKLM\System\CurrentControlSet\Enum\SWD\IP_TUNNEL_VBUS\ISATAP_1\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\(Default)Binary Data 13241300x800000000000000033884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000000) 13241300x800000000000000033883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000000) 12241200x800000000000000033882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.341{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0 13241300x800000000000000033881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemHKLM\System\CurrentControlSet\Enum\SWD\IP_TUNNEL_VBUS\Teredo_Tunnel_Device\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\(Default)Binary Data 13241300x800000000000000033880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000033879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 12241200x800000000000000033878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.341{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\1 13241300x800000000000000033877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache\KnownProxylessGatewaysV4Binary Data 13241300x800000000000000033876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.341{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache\OpportunisticInternetGatewaysV4Binary Data 12241200x800000000000000033875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.341{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000 12241200x800000000000000033874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.325{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Owner 12241200x800000000000000033873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.325{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash 12241200x800000000000000033872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.325{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence 12241200x800000000000000033871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.325{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 12241200x800000000000000033870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteValue2023-01-16 11:47:51.325{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash 13241300x800000000000000033869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NlaSvc\StartDWORD (0x00000004) 13241300x800000000000000033868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NlaSvc\DeleteFlagDWORD (0x00000001) 13241300x800000000000000033867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\netprofm\StartDWORD (0x00000004) 13241300x800000000000000033866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\netprofm\DeleteFlagDWORD (0x00000001) 13241300x800000000000000033865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc\StartDWORD (0x00000004) 13241300x800000000000000033864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc\DeleteFlagDWORD (0x00000001) 13241300x800000000000000033863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\StartDWORD (0x00000004) 13241300x800000000000000033862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\DeleteFlagDWORD (0x00000001) 12241200x800000000000000033861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lmhosts 12241200x800000000000000033860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lmhosts\TriggerInfo 12241200x800000000000000033859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lmhosts\TriggerInfo\2 12241200x800000000000000033858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lmhosts\TriggerInfo\1 12241200x800000000000000033857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lmhosts\TriggerInfo\0 12241200x800000000000000033856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-DeleteKey2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lmhosts\Parameters 13241300x800000000000000033855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lmhosts\StartDWORD (0x00000004) 13241300x800000000000000033854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lmhosts\DeleteFlagDWORD (0x00000001) 13241300x800000000000000033853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EventLog\StartDWORD (0x00000004) 13241300x800000000000000033852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EventLog\DeleteFlagDWORD (0x00000001) 13241300x800000000000000033851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Dhcp\StartDWORD (0x00000004) 13241300x800000000000000033850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.325{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Dhcp\DeleteFlagDWORD (0x00000001) 10341000x800000000000000033849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.294{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000033848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.278{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000033847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.278{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000033846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.278{FCCA13C7-394B-63C5-A305-00000000AF02}36765552C:\Temp\ConfirmEmail.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x121411C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1d434(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1b78c(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+1be81(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+c225(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+a256(wow64)|C:\Windows\SYSTEM32\RstrtMgr.dll+787a(wow64)|C:\Temp\ConfirmEmail.exe+dd99|C:\Temp\ConfirmEmail.exe+de60|C:\Temp\ConfirmEmail.exe+e405|C:\Temp\ConfirmEmail.exe+ef95|C:\Temp\ConfirmEmail.exe+f4d5|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000033845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.262{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHashBinary Data 13241300x800000000000000033844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.262{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000Binary Data 13241300x800000000000000033843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.262{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001) 13241300x800000000000000033842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.262{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary Data 13241300x800000000000000033841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:47:51.262{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeHKU\S-1-5-21-489063788-1047142772-617343651-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary Data 11241100x800000000000000033840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.262{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\Windows Photo Viewer\cHpfiXA9s.README.txt2023-01-16 11:47:51.262 11241100x800000000000000033839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.247{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\Windows Portable Devices\cHpfiXA9s.README.txt2023-01-16 11:47:51.247 11241100x800000000000000033838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.247{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\cHpfiXA9s.README.txt2023-01-16 11:47:51.247 11241100x800000000000000033837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.247{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\cHpfiXA9s.README.txt2023-01-16 11:47:51.247 11241100x800000000000000033836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.247{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:51.247 11241100x800000000000000033835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.247{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\cHpfiXA9s.README.txt2023-01-16 11:47:51.247 11241100x800000000000000033834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.247{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:51.231 11241100x800000000000000033833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.231{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:51.231 11241100x800000000000000033832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.231{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\cHpfiXA9s.README.txt2023-01-16 11:47:51.231 11241100x800000000000000033831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.231{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:51.231 11241100x800000000000000033830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.231{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\cHpfiXA9s.README.txt2023-01-16 11:47:51.231 11241100x800000000000000033829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.231{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:51.231 11241100x800000000000000033828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.231{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\cHpfiXA9s.README.txt2023-01-16 11:47:51.231 11241100x800000000000000033827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.231{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:51.231 11241100x800000000000000033826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.231{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\cHpfiXA9s.README.txt2023-01-16 11:47:51.231 11241100x800000000000000033825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.216{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\cHpfiXA9s.README.txt2023-01-16 11:47:51.216 11241100x800000000000000033824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.216{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:51.216 11241100x800000000000000033823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.216{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\cHpfiXA9s.README.txt2023-01-16 11:47:51.216 11241100x800000000000000033822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.216{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\cHpfiXA9s.README.txt2023-01-16 11:47:51.216 11241100x800000000000000033821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.216{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\cHpfiXA9s.README.txt2023-01-16 11:47:51.216 11241100x800000000000000033820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.216{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\cHpfiXA9s.README.txt2023-01-16 11:47:51.216 11241100x800000000000000033819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.200{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\cHpfiXA9s.README.txt2023-01-16 11:47:51.200 11241100x800000000000000033818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.200{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\cHpfiXA9s.README.txt2023-01-16 11:47:51.200 11241100x800000000000000033817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.184{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\cHpfiXA9s.README.txt2023-01-16 11:47:51.184 11241100x800000000000000033816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.153{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\cHpfiXA9s.README.txt2023-01-16 11:47:51.153 11241100x800000000000000033815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.153{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\PackageManagement\cHpfiXA9s.README.txt2023-01-16 11:47:51.153 11241100x800000000000000033814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.153{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\cHpfiXA9s.README.txt2023-01-16 11:47:51.153 11241100x800000000000000033813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.137{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\cHpfiXA9s.README.txt2023-01-16 11:47:51.137 11241100x800000000000000033812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.122{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\cHpfiXA9s.README.txt2023-01-16 11:47:51.122 11241100x800000000000000033811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.122{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\cHpfiXA9s.README.txt2023-01-16 11:47:51.122 11241100x800000000000000033810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.122{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\cHpfiXA9s.README.txt2023-01-16 11:47:51.122 11241100x800000000000000033809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.106{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-16 11:47:51.106 11241100x800000000000000033808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:47:51.033{FCCA13C7-394B-63C5-A305-00000000AF02}3676C:\Temp\ConfirmEmail.exeC:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\cHpfiXA9s.README.txt2023-01-16 11:47:51.033 10341000x800000000000000014161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:52.918{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:52.918{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:52.918{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:52.906{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:52.557{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B954EF3E5FD21B14C31CAED966F90E,SHA256=D4ECE2F6E504BBB75EE2BA3B8C9253D732EA2CFBB4316B7D8A92F358534D3E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:53.655{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4938F83D7CD0CAA5713940205786247A,SHA256=4C767F7E55386BF0FBFD6E857B28342A3BCF8DAEC49496951C014D097236E560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:54.752{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1C5CDD18A832DE83A91807BD2649E2,SHA256=D6F967B9CF913A6CE42B044271FDA2A35224790144FD117FAB3BD27555C133C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:50.631{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49994-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:55.847{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246614B1F086D97D29E7BB760D1999A3,SHA256=12257CE84DD41D74B5F18086A9DD8F1B77C6D8550380530D7B6149FFD7FC2B3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.859{312A7A06-396C-63C5-C901-00000000B002}29282820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-396C-63C5-C901-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-396C-63C5-C901-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.656{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-396C-63C5-C901-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.657{312A7A06-396C-63C5-C901-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.609{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C4533BA5C64D46D7CF659F4AD9CC2BE7,SHA256=A8AFFF100B6626C3096BBB51816DA3FF9D397780EB1A8B64AD0544A05E027662,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.039{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-396C-63C5-C801-00000000B002}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.037{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.037{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.036{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.036{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.036{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.036{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.036{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.036{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.036{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.036{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-396C-63C5-C801-00000000B002}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.036{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-396C-63C5-C801-00000000B002}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.036{312A7A06-396C-63C5-C801-00000000B002}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.928{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B984B03F9BDF3C44B6BB2C6B7276927,SHA256=477229924F49BB3830ABA1EF1F68499C6A3958BFCEA55A15EA7440171B3A672D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-396D-63C5-CA01-00000000B002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-396D-63C5-CA01-00000000B002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.173{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-396D-63C5-CA01-00000000B002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.174{312A7A06-396D-63C5-CA01-00000000B002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.158{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A38B9E643FCF75923A238B91908308F,SHA256=37457CB42D2E509577E782AC7A863CF8C41F4535795795C22E2074FD817C73C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:57.142{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD944FAD4920CCC4DBF69986A4A1B03D,SHA256=8A79208FA87DF33B565E7852C78B6A730F753C1071EBE15A38954D21109F0D12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.888{312A7A06-396E-63C5-CB01-00000000B002}40243840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-396E-63C5-CB01-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-396E-63C5-CB01-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.684{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-396E-63C5-CB01-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.685{312A7A06-396E-63C5-CB01-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:58.494{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C2606910FB2DE0C2E7F51118410E456E,SHA256=E5F763773776ED3B10878BB230010C1F1832F4154BDA147207D61EB9707DAB51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:56.505{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49995-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000014242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.638{312A7A06-396F-63C5-CC01-00000000B002}4003984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.586{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-396F-63C5-CC01-00000000B002}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.586{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-396F-63C5-CC01-00000000B002}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.586{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-396F-63C5-CC01-00000000B002}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-396F-63C5-CC01-00000000B002}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-396F-63C5-CC01-00000000B002}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.451{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-396F-63C5-CC01-00000000B002}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.453{312A7A06-396F-63C5-CC01-00000000B002}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:47:59.028{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE04CBCBCB6681F2CFD4B97D2CF090C5,SHA256=FEAA2FD30063BC0B7ED5D463797EA2BBD2D34139CC1EFE1CBB24CEB6BD55B028,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.316{312A7A06-3970-63C5-CD01-00000000B002}39723392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7FCE2C6F1CCDE832421C6E0C2DEC33,SHA256=B7EA8E6E992DC6A3A6ABDBA7BEBA3DA800BE186341CFF522A754840ADE7E9B48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3970-63C5-CD01-00000000B002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3970-63C5-CD01-00000000B002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3970-63C5-CD01-00000000B002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:00.125{312A7A06-3970-63C5-CD01-00000000B002}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3971-63C5-CE01-00000000B002}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3971-63C5-CE01-00000000B002}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.279{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3971-63C5-CE01-00000000B002}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.281{312A7A06-3971-63C5-CE01-00000000B002}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:01.215{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5195FB60CB665EBFC9C7F77C70F97AB0,SHA256=70CFB76A2F40DAB7FA859AF413B9963E8B27C79D7F2DDB0F5230FEF68B39DB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:02.573{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC0DF3F338166D8D20A18334B8C6C72D,SHA256=CF28E3DC7FAAAD124418A7A0B81879229AAB23FE03632EDEAA28A36887D2E5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:02.308{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B2E203AA1862C4221B84983D87B82A,SHA256=0810852A0151480FAFCEDF64F2BDDAC04505E8A1B90C08491671EC41E2983BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:03.389{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1111D392718F722C395CFAC05295F6BC,SHA256=05FE7E437FE6875C54FCE7F8113977590C7ECD47ED0D9E515102168236534239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:04.478{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FC91EC16FC07843CA02192AC196009,SHA256=5FC8B022AEFBEAC16B9F048205936FAAB28CC5AB87ED175E5746630FF8BC8124,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:02.428{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49996-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:05.583{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F47BA1D517189247249B1672BE49167,SHA256=334961A8F7383B2105873876191592C3F1C3105E92A637E45601EAD8074ED3F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:06.672{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A51845244E9C30B9910B8AC38D4EADC,SHA256=510990AB522968A403CDFCA2C3432AA1FC0AA3437247E1E2559D6C310C1D5404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:07.770{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AFAF93B1402B75F0895A697A643918,SHA256=FE9269A616EBCD5380D738485BACAD5DE72488B852955F56D0FC80F791032C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:08.869{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D79D4051D1F9EFF5BB66A4E6E1C3B6,SHA256=A12B6656BB2650B87F22CE94C11AECA6162DA4804C3DB6FB079DAC38C0741F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:09.974{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:09.968{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 23542300x800000000000000014287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:09.960{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC5363F9E4C8AD567192D33F7650D89,SHA256=178F3EF376A026E2DF59BD43865AABB8B3A1FE8B5ADF23426AABB1C265E9F659,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:09.959{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:09.953{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:09.947{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:09.938{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:09.932{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.093{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.091{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.088{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.088{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.084{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.082{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.081{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.080{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.079{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.076{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.073{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.072{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.068{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.062{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.060{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.055{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.049{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.033{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.031{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.023{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.018{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.012{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.005{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:10.000{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 23542300x800000000000000014315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:11.534{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F1B0AC50D9E4C7E558E915A0781EF8,SHA256=B6AC30C570433E3907F28F5572180E7878DCA349BBA55BD506252ADE6C9E31B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:07.617{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49997-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:12.269{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF617F97A69F9A35A008DF57434F689,SHA256=DF831349DBD15BFBB3C0F8D845C6C1BAA3C4709DDE097D165EC0597A3C714818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:13.367{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F5324D4C90F23490ED06139A9BDB79,SHA256=F0F438F6E17D1385CB3750749AEB0903C5952DE92D025C7BBD4A3076205CDB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:14.467{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A6ED4F581C981580530036D03B7048,SHA256=3C4D1DD9110A3B234438DBC02B3BFB0BD0DCBE56D61499D7F0E2B4CAD04CE5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:15.568{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F309D37DBA880DD9BEEF0F1EF77D830F,SHA256=8F52524175AE60EE8349B4064C0AE00206A6C78AA29F610F0FBBD9D320359FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:16.654{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808958331D2F2F7B2576100EEEC152CE,SHA256=F0E0409CFE8C5B61F70597165F39391294195DC0F06A7F32A39B7943C94A1D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:17.747{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E131885E669B76117293FE6F6D05E043,SHA256=27BB510DD8A8F56ABB9B127B624CE67F3A451F57735CB1BEB2258183AE578AEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:13.486{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49998-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:18.954{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:18.837{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD35B18457D2BBCACC1590700C55FFCD,SHA256=93E2AA6A644B5739AFEC6112F41EB335F82C9C34B16F43061BD77BE49A195A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:19.951{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E37707348DDBCA2652C340509DBC065,SHA256=0312E9CA0B8C7DD07C744AE178A7216D73CEFD72B3453C615175BD465B08F442,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:17.311{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49999-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000014327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:21.042{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439051383579491928A1FE30C91FFAA0,SHA256=6FFCF0F60D9162C8A45C524EAF9526BA003E46F037124B4C8AC9E43002FC6DCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:18.580{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50000-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:22.132{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5453CC427D5717F1AEEB8D0F6948D009,SHA256=6FEEF7140DDEF525A0208D3E5CD7AB74D81BE34BC27E37EA8FFBD7CD1AA2BC1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:23.234{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F307D34FDA52E9697464C252CD16CB9E,SHA256=75AD3748429DFC31F1886110E479D3371117DA419378DF8F08CBCDD743C6C74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:24.774{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-025MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:24.333{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05F9576A06F2AA7AEF8D7370D4820DB,SHA256=6BB53492DA16408E992B545707E0CBA70DE44F50FF74ED01E0A7E50D5270EA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:25.778{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:25.434{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C53FE92E618C8981742F4BA84FC68A1,SHA256=7F289032AA63AAB0D9982A6AD8EF440AC39E1298BFC8DD4BF0935D5CC6EB624F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:26.539{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B7ACFFFD26165D1085A89B2C9F0F19,SHA256=DA470425229354078B277E7E397D866D363D7737C759BF1C74CBF2653995B5E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:24.452{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50001-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:27.672{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FE1ECCF0E70004922F1BD7F48860E5A1,SHA256=64687B347E39D9F3394631CB97D85279CDB2C1B3C3C8D4852495953D5E311859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:27.625{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D6F24F2678F0B9C44C6A2EC8A99D1A,SHA256=C564CB238983D792EC971592AFF3811A6D6CDF2D77B7830601EA3102D1522255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:28.713{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77809BE04AF3120CD784054D735455AA,SHA256=5C15B2E32EE4862D8C442C4AA5248A684CA51C3246FA57E50219EB80B15E1F83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:29.980{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:29.973{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:29.965{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:29.957{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:29.943{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:29.929{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:29.926{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000014340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:29.806{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9399C8050F80EF374B5EC1330B15737,SHA256=E1F8275E8D77A08CDFB6760F60D24BAF0E5295EE9000C6828B72AEB775C3A9AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.110{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.108{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.106{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.104{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.102{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.100{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.099{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.098{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.098{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.096{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.095{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.093{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.091{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.086{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.083{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.079{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.073{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.061{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.059{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.053{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.048{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.041{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.034{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:30.026{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000014372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:31.055{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F78D21C2D51D7723C010E5269FDE84,SHA256=0FBCC549209D8FC47D4B46E1A0AFF7A071AF410EF90BD33C751110C27D9B5D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:32.228{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A773F1F1ECADACD458E65D8FEC9241C3,SHA256=5DEB849DF5B79288902E844B2469BA518D0954C1D5267910657397EB19B67197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:33.328{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CD2C49146A38411D9B08763510806E,SHA256=295D0D4729DE7E9660B5D056BDABBE04DCF4686AC8504D732627BB8670FAE14A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:29.468{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50002-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:34.424{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F5A421BA05D4DC0682A699070FBFE5,SHA256=C38225D32DFC5E6997B20FE2EF480CCDED31B0987D2A7570ED0FD4E4C72A06E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:35.509{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8547C06B1D0ABFF92E8EB2CF27E12970,SHA256=6D840D097396350B3F3B27BD200401218BF83BA55C2BF4CEE721B32F8718CAD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:36.598{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB7ABB6DD9903FA6E90D039E80AA323,SHA256=CA1F2040E74B393311E7FE8B82C2FB18AFE86734D146A79A2C15828EA84FB437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:37.696{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725DE01903025B0329C0EA7CA9B93D09,SHA256=039455394DD426B1A108E761A7F48E2FD38A7ECB32C723AD58A2EFCEAC1E0ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:38.793{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BA84EC19367D241F073204960593A4,SHA256=88FE8177E651CBAC0075954D0D1A31F8E900D0652E97FEA74083A9EB74D337EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:39.893{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5331DBCCD7153BA5237E987F24077A3A,SHA256=9B982545E3F781B469EE645F570BA8345498BCC50FCDFC49D6B99959A29F6604,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:35.427{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50003-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:40.982{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2371F2C3D9993E1EA9BA087C0BA35E16,SHA256=C7EC46F79906EF4E09BF9A746AFB47EA42771C6883C6DD5B49997891CB2AD49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:42.072{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4102E3F1F91F5018301F8171A99D908D,SHA256=7A63688E54F0415A3AC6EBFE00FBFE9F2DB165AF053D579BF8B60EB1FD970167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:43.813{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6EA8BAEBA915B35BF178ACD6C35AD84D,SHA256=3E82F1B487E74AED9DF8E3913978BB6D4CA58322DD76F128E2B479FCA3213149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:43.170{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158659A896A2E5F24E6F1C8C329B0819,SHA256=437445AFE41C6CE647ABFC830C77D18B5BCDA706FED8781A765620474A6320AC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000014398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:48:44.989{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000014397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:48:44.989{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018cc05) 13241300x800000000000000014396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:48:44.989{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92998-0x1aab5bae) 13241300x800000000000000014395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:48:44.989{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d929a0-0x7c6fc3ae) 13241300x800000000000000014394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:48:44.989{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a8-0xde342bae) 13241300x800000000000000014393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:48:44.989{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000014392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:48:44.989{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018cc05) 13241300x800000000000000014391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:48:44.989{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92998-0x1aab5bae) 13241300x800000000000000014390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:48:44.989{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d929a0-0x7c6fc3ae) 13241300x800000000000000014389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:48:44.989{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a8-0xde342bae) 354300x800000000000000014388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:40.553{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50004-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:44.270{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8953EBCE74C31F19681942B47CBB5EA0,SHA256=E2C65D081DC2C2B098AF1E10FF85B48B3D8A6BB2F21F6617FD71F52D8B5DC090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:45.370{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0816AA8AE41993039A2953A3BBF5BFD1,SHA256=2E113E8B2252FA9567AFDABB39C92A6D7C59934E99051916E385784ECCF960DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:46.460{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0219563ACC9905ECD7645BFBB02CDC0,SHA256=5CA88F1C06308A1DB57F28EAAF3385FECEE919C6DA644A5E80B0D5E55BA46FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:47.560{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C434025993E4B695D22D1D9E1056854,SHA256=92F6C2360D6E8B21687AA65A1827B510FF6E4F2CB87A3AD83F0EBEC3EBD6F519,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:47.214{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:47.214{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:47.214{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:48.653{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C602DA7DBA0665724F8160EF5FC832C,SHA256=B0A0E6945B81EE59E0CCB5F3FB9D3FF0D20C1939B75BC164665F7F29D3D20D2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:49.981{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:49.959{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000014412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:49.956{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000014411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:49.954{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000014410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:49.948{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000014409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:49.940{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000014408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:49.936{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 23542300x800000000000000014407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:49.760{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8119449EFDEDA8B70EF615B9D30AAC90,SHA256=1B864735AF51713DB02D88D393D5DB2C1762796A974D271C3AA7F51A61C96D50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:46.415{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50005-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000014438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.097{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.095{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.093{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.092{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.088{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.086{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.082{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.081{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.080{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.078{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.077{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.075{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.073{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.067{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.059{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.054{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.047{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.034{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.033{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.027{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.021{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.016{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.010{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:50.004{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000014439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:51.069{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BBC22C8434073201C4AC82F95B906C2,SHA256=177ED4D77EC096124388749AA7F0648EF6057FD1323CC3D072EA9BC1E4E9DF6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:52.922{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:52.922{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:52.922{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:52.909{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:52.153{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8869BE99B122EF6DCD2A476E3C3B31C6,SHA256=3F10D83C25151120BF7F2D095CCBC0816984D55C16A1B83117B548AAA98475DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:53.242{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2057C0112D0AD316F306429EBDBAA0,SHA256=471BBCF2E398BABC5B22FD87E036437AFF923B5DF61FC05AE6A2514DD1CA7D5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:51.473{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50006-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:54.341{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2774143376B8C03BF6D2D3D6EED041AB,SHA256=D49D9E7E394845364B2E536A39617E27B4B21B32445567F9576BF05496EF98B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:55.434{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A987E3926C8E391275D60FE754C9AF1E,SHA256=186F3BB42D17424C26E9E2F18F1BF818BB0A6F0D3D2194EBA41E63F6F53F85A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.827{312A7A06-39A8-63C5-D001-00000000B002}28242616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39A8-63C5-D001-00000000B002}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-39A8-63C5-D001-00000000B002}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.671{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39A8-63C5-D001-00000000B002}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.672{312A7A06-39A8-63C5-D001-00000000B002}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.530{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E167D205D6EA4B9000C6DF3C4148AE,SHA256=EBECF75CDF81B438AD2DAB61048DD0D51292DF7F1395A9C0202BEA4A15D30204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.265{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=683672C4E918098F4E30BC5DCAB109C9,SHA256=2181FAD0777E6C6485FED53323DA9934D5F2EC27966F7FABA56D1F994FE02415,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.156{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39A8-63C5-CF01-00000000B002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.156{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39A8-63C5-CF01-00000000B002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.156{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39A8-63C5-CF01-00000000B002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.155{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39A8-63C5-CF01-00000000B002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.155{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39A8-63C5-CF01-00000000B002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.155{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39A8-63C5-CF01-00000000B002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.046{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39A8-63C5-CF01-00000000B002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.045{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.045{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.045{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.045{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.044{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.044{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.044{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.044{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.044{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.044{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-39A8-63C5-CF01-00000000B002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.043{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39A8-63C5-CF01-00000000B002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.044{312A7A06-39A8-63C5-CF01-00000000B002}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.820{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=67BEABC9B962280ACEBD4D33B7FC0E26,SHA256=AB5EBF35F4AFCCF88E9958ABFBA4E9D1DBE0511C6C04360F8829373BF057F765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.695{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8073B8E7F0DE7A78C25ACA5100092F57,SHA256=3B37A5EA6D20B127647BEC91134AD93C11A30FDE2E7B6E5D580E0BDF4A9F9BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39A9-63C5-D101-00000000B002}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-39A9-63C5-D101-00000000B002}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.336{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39A9-63C5-D101-00000000B002}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.337{312A7A06-39A9-63C5-D101-00000000B002}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:57.125{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07DDFB6F82026510FBE9A02EFF6E269D,SHA256=87C9883020B2020640409424DA9BEE9A135F11EAFDF2433FC7956C90F6B07C15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.862{312A7A06-39AA-63C5-D201-00000000B002}24082392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.721{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BFA5F363939ACD203B1970CECA3158,SHA256=D24F9804132CC44621F419D824A5AAF968AA833A0B787AD48A6B5CA1355CDF4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39AA-63C5-D201-00000000B002}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-39AA-63C5-D201-00000000B002}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.690{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39AA-63C5-D201-00000000B002}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:58.691{312A7A06-39AA-63C5-D201-00000000B002}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39AB-63C5-D401-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-39AB-63C5-D401-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.946{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39AB-63C5-D401-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.948{312A7A06-39AB-63C5-D401-00000000B002}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.821{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFB1C03B5C92B5EFA4EE18780FC6178,SHA256=D659F9E04882ADDE2DB72CE2D65945976D9CAB350E79E8C4688D9D75F2124FEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.603{312A7A06-39AB-63C5-D301-00000000B002}35162828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39AB-63C5-D301-00000000B002}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-39AB-63C5-D301-00000000B002}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.446{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39AB-63C5-D301-00000000B002}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:59.447{312A7A06-39AB-63C5-D301-00000000B002}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:00.904{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F13C9A93BAAB3AF2B7773609270224,SHA256=46042B2F4AD54210E24AB960C3260627F5161D0F4A13670C94CBC8441A5E579F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:48:56.604{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50007-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000014543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:00.157{312A7A06-39AB-63C5-D401-00000000B002}33963204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.981{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28BF0D488D914B990F2F8AF78D226F0,SHA256=A877235CF98C8F5AD317056292EDB800B5D9AE66C1D0BAA412B0DE2A2B8B6A15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.376{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39AD-63C5-D501-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.376{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39AD-63C5-D501-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.376{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39AD-63C5-D501-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39AD-63C5-D501-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-39AD-63C5-D501-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.273{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39AD-63C5-D501-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:01.274{312A7A06-39AD-63C5-D501-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:02.467{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF93798B7F831C8BDF844A5A8003FF02,SHA256=A5FB5E083211E08B36E47B2C5A90B5110AF4F33231D8419877DCF08CE63EAF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:03.079{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B06851214DF73867E3758B2004830A1,SHA256=3CCED53FADEF5DEE26C7CD3016C68EA73A1D69B78BB5AF1E5C56A676B75D8B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:04.181{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0B8341959C915521C8AF706A50C4C9,SHA256=D017487B80B937F5C97C1857D6D7CE9BC9805CC6D2CF4AC6DFBE8D9DE652743D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:02.522{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50008-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:05.286{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E718EB4410F7CACB22FF22E7F5E161,SHA256=38AC7FFF10196A5D34EEAB4F3B7F67B41CDE0CC624D1674E1167B0104D919B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:06.368{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96CAC15AE0208C7D51FE186E33B0840,SHA256=1477A6C66EA3054A5FF9C25802F39EE4165BD07F763CCFC9E38425E49A0E6047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:07.477{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C837E6AD133B5AA638E9009DD3AB04E,SHA256=091FC382306851D78A2BA44C804E3ECC352FDD901E4C4BB931147144589CF1D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:08.555{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBAFF836E2B06E583178AF605896345,SHA256=65BD14E893AABB723A15226525A6EFB759834980AB0E23389561AFC5BBD22DC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:09.966{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:09.962{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:09.955{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:09.947{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:09.940{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:09.933{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:09.930{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000014571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:09.653{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6449C435316CA9684692407C1CDA05,SHA256=7DDA600DCF9A147BCF9CF33F574DBCA67C40B66D7DAD21A35815C52E67CD388C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.948{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3857A78F2D643B86C49F75B667EB8C6,SHA256=145B97106064B2B01816CFB6B1C9FA0FF88A573713998982EE75C52C206F1A37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.129{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.127{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.122{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.117{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.113{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.110{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.110{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.109{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.108{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.106{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.105{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.103{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.101{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.095{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.092{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.086{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.079{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.061{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.059{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.052{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.045{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.039{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.026{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000014579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:10.011{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 354300x800000000000000014605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:08.496{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50009-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:12.016{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3D2B06D75E7D9046E88C9D96441760,SHA256=DD635C178554326F8B942FB4443BE07AAAF0B7B227FDA54E7C242A7A66FA0A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:13.126{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2F7B262AA52DB50EC6BA8EF9235BF5,SHA256=632AF23659F9686E3A41DB1546C626F73DBFC6C70CDB353BF19B523DDFDD682C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:14.223{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33A90E7CE65131797F488DE47C454C8,SHA256=B8B3A52997907732685FC23D136B5B133F61D93F17D2870111031A43D589C6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:15.321{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8181DCA7C6C7F54959B57C0D494ABBED,SHA256=8B676591135211F68D4F9B52AB01A78F7D2492B4CF14ED483FF124934C401337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:16.420{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1BBE843A7A9D8F1FA9A5AB5D2BBFB6,SHA256=B90713A9A0AB5106A26B0FA9F5649E93875CFDE53D822E021E90A88EFE776FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:17.515{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEE2D984A7FEEBC7C59915A41C58F1B,SHA256=E25454E3B9F66B968149C464343EC3B958CEDDC4409B00C38B6EF449F51F17BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:14.505{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50010-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:18.973{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:18.536{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E0DD52C33CC91C85D59F775BC20D35,SHA256=D4CEF3D94952A5BFC83AB41E55CB4876D828F6CBC461DDD491D244E6B82FB7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:19.628{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDF3134F850E2ED1C12ADC6F9236EEE,SHA256=E7049D55B868F4DAF683775723B52456BC9D84C251FBB260C97E7D56C7D7C90D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:20.692{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897A1713FF3F0C9378F205005005321B,SHA256=615E3B0D45035D9705C2B1B7633369D613E87BF1DFCC45DF5245A05ECD0E2DBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:17.330{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50011-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000014617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:21.772{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B0D4862BF0FAC43375812DA7C4FCCC,SHA256=343D601A702E4988A8D277345FB423FA13E5AE352615E045AF3B046A95B08E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:22.862{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44688633A56E78A30E0D8BFD11D6E5BE,SHA256=222C83A2E73D208C36527ED93D521A91A0BD2FB67E839D80C3B3AF41CB7289C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:19.616{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50012-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:23.949{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1755541A9E8A3313467F4705435A5E45,SHA256=30B7EA18F2896915B6719FDFF723C220DE7D106E868E8199AEDB2169C2757D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:25.042{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C712A8B4A341B6FD0EFB3958453B9BD8,SHA256=AAEAA0D6E0A87E1754711FE29B1068E219AFE13320E939FF8A1BE877B9E67343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:26.294{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-026MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:26.120{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996233E290F86D78E15627EE88687204,SHA256=E63AC70D3649902E9A5CDAC6EAFD2478448B74859DEBC1307A63BE614617EAE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:27.296{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:27.217{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CF84D0537555162046E9636D4FF325,SHA256=8D2349A7B13B32AE3068B1ED2EB6AF21B19878282BE293006819871C798DD03E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:25.589{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50013-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:28.296{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6FE75BFED2344E37EC683A127E14BE,SHA256=80654563F59B9ABCEE547DDD3DF263D159308152F453E4E7783913379CF02AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:28.171{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B49CA80E42B170DB45B1547ACB54F05D,SHA256=5E44F4886AD355BA42CE25DC120909F3039A5ECC90D37A121DC0BF3EDF08A8EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:29.994{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:29.988{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:29.977{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:29.965{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:29.948{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:29.938{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:29.935{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 23542300x800000000000000014629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:29.393{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A0D23B57AC5EEC5DA9176CF6136E6B,SHA256=A3002CAB7DD254E9E729FCEF489531E8A870651533EB3BCAA6B3710B9ACDD396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.662{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8F73AD6CDF07DEE01D9F8FA19DA847,SHA256=32CC61E82641D3BACC5B1E251E69D8B0D81DEA0D1C138059AF48F11988672BAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.129{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.127{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.125{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.124{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.120{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.118{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.117{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.116{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.115{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.112{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.111{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.110{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.107{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.102{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.100{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.095{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.087{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.072{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.069{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.063{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.055{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.048{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.042{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000014637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:30.031{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 23542300x800000000000000014662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:31.683{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD796396DB2F4ED76BAEB2737C74B72,SHA256=77801E6F958AEB99AC93EF2CDC9364200CE1590A762F4311CC97EA3068C462E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:32.774{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6D94DBCA64F056D56D673A10A1AAF0,SHA256=A1003CB7A8EB126D36968DACE7C37EF14FD1C66AB432089190E8228C72CA61D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:33.869{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA48A7DBDA13FC5F138045D5D126A5B8,SHA256=20C40F2B2065961CA8A1043C50E0081E03A4F7DFDB866F31760AD53C482113E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:34.978{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28091F3B9C8BB964EBF98BEB92D0D7A,SHA256=04595603BC22C0E679DC3ABD7E00A3AE2866B794B3B82143E70894C92BDFE5BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:31.477{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50014-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:36.067{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2A75B2036326E402D6635D6883BFD6,SHA256=64A752867EF1A61203E35C5DC1AD7D45C7DF3FABABDB0194F954E2C7D0DB759E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:37.145{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31521E802CF472CC87B9175B22DFAB3,SHA256=C19588412B6236E8469505B3BC2CE9434A629DDAD8980E477AD8C44315103851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:38.345{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB23C5A722E8C9D7B9E0A3DEF533BAB7,SHA256=78DFEF025FAE15AEE60F90F092C443E5FCD1E07D335B2155B58E737DA8618615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:39.440{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF162E1A67892535397F16725D31C19A,SHA256=D3D058794A88F064B8A13BB0940D78B77DF794FD4C6F92598243FDC279DDE61B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:37.482{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50015-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:40.538{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA4F7DCE73FEA1435630748D34E29AD,SHA256=1FAC0148FF7723D7D82A57E9F443E412F066599A65F989A9CE160314285CBB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:41.622{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540195A13134BD399135FA6E8E9CABD7,SHA256=59A65D5D59082BBDD679E3FBB19EAC22EA2FCB1BB8A68FDD96FBC038903A7A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:42.723{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD9367F17DDE4EE7DED9D502EFD2B98,SHA256=18369D7BB72D7D22ED644630A5233671CF58345B2A57BFCF9D6A1A317D534DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:43.820{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AC781ED72AA62085B9368BCB326EAB7B,SHA256=36AAC84D29853A9B217977985088D7D667D7FDB3F57BC2F83B499F8314820127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:43.804{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C937B216F2FBEA4FDC813EA462B7CF73,SHA256=AD7BE3E207A752D4D30AA755519CD4CEC961A9EA6F6082565B655813D26851D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:44.901{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85612F53307A118E8C460E8057F1DCF2,SHA256=EE5CF4CFD4D68454874DE648B173534592BB5EA5A04600893308FEBE8244EA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:46.001{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507B0DFC7667485A0B9B5E52E20D1BA8,SHA256=9EB41BD455C9C920EB938495E70E106C6E3B422A87E908A35EB52917C68762BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:43.450{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50016-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:47.104{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87930DF9F155239347187204DB767F0,SHA256=00DC75681CF87FD5D875C28930A4A7D1C0550318F2C3ABFD122B970705C51C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:48.195{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BC7969F42EFA609F8E02C519C96775,SHA256=99E52E04DC24DBEC457C93CBF97F151754F575E0CDB94EA5F3165811C720406D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:49.993{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:49.982{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:49.974{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:49.965{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:49.956{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:49.946{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000014682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:49.287{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829E58885798D95A0E333405D9AF4A44,SHA256=2A6AE99967FB7704A2F1ACECE77DC1794C13F256A2D2B54143D86C8094AB9BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.433{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F30BD015A3104A6D0146C2327914872,SHA256=DCB2395674BE9B8996CB81077FBB2B4ECF8DFB0384860B24D258D7FA4916D83D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.176{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.174{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.172{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.171{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.166{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.164{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.163{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.161{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.157{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.148{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.146{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.144{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.140{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.132{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.131{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.125{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.115{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.097{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.094{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.082{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.074{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.061{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.046{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:50.039{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:49.999{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000014715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:51.467{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E182F8A8AF44E7ACBFDE261DEF1D99,SHA256=DE3533C13C42E6C7005B594E875DBBA33919F84FAD4DCE1A1C9AEF7184B0622A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:52.920{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:52.920{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:52.920{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:52.907{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:52.575{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E048583D98F239160D2C52115CD81C73,SHA256=91BB46E7E340FB1E8AA480C6F4F26D94CFAF849081CCDDA9CF8A9AAAA486E6CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:48.615{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50017-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000014723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:53.916{312A7A06-3345-63C5-0D00-00000000B002}7763696C:\Windows\system32\svchost.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:53.660{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0802919B9C13F37A28D9AE8212C0AA7,SHA256=C3F5E119926B888894D6587BB4B4F174EB507780EF828736C7E6F2E4DC933636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:54.760{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86912B936DBE7B60E83369940901ECB9,SHA256=9A97B9A471F94334F23D1CD99E3D43DCB77B8A73F035D76F28ABF0F533A190EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.877{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E6CF2B44E282D1E330A76FA9FEB71C,SHA256=C70392DE9A2F30E8BA3D3BBF5ECDD5ADBC3719EE6A327E39763543BB54EF1D30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.904{312A7A06-39E4-63C5-D701-00000000B002}39563804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39E4-63C5-D701-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-39E4-63C5-D701-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.670{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39E4-63C5-D701-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:56.671{312A7A06-39E4-63C5-D701-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39E3-63C5-D601-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-39E3-63C5-D601-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.998{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39E3-63C5-D601-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:55.999{312A7A06-39E3-63C5-D601-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.972{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A883E5D2F5CA0CF980D719370A9B6B,SHA256=2774DF8B3896B169EB1E9DEA23048D17AE77EEDDD800D482E5C01327C7E08F89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39E5-63C5-D801-00000000B002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9943ED796FB78CC5AFE3F45EAB66918,SHA256=A7AF5C6A7FAFB891C7413AEFB5EBF7639D440A233D4D21E94AAC254787E2D50A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=366F49B3E35476D4FA79552B3EC73613,SHA256=D8E7E7F4C4AE376E2374D3407EED5B9517B6B23DD8394ABF54F1EE2AD06CA4B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-39E5-63C5-D801-00000000B002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.175{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39E5-63C5-D801-00000000B002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.176{312A7A06-39E5-63C5-D801-00000000B002}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:57.113{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C72687EEC4F8D2BA2458671579C2FD1E,SHA256=587EB88F6B3AF9EC2E150983CFCA91104085DABD257BCB1F2F23430B91D33544,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.839{312A7A06-39E6-63C5-D901-00000000B002}18961216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39E6-63C5-D901-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-39E6-63C5-D901-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.698{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39E6-63C5-D901-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.699{312A7A06-39E6-63C5-D901-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000014771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:54.510{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50018-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:58.323{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7200B60AA4C02C93A44380B17C3D0F07,SHA256=BB2625B66CEFE39A2A243C8B2EB6394EA6BB274450ABB023187219CC58B15460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.595{312A7A06-39E7-63C5-DA01-00000000B002}2020920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39E7-63C5-DA01-00000000B002}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-39E7-63C5-DA01-00000000B002}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.438{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39E7-63C5-DA01-00000000B002}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.440{312A7A06-39E7-63C5-DA01-00000000B002}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.069{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB53A58B01A73A80249059DAD29F696,SHA256=39FE96BD24A74E4C9E50696FC15C399A9BEB57ED8DF7E04191409E630E9D3092,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.239{312A7A06-39E8-63C5-DB01-00000000B002}22681916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.189{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F926C2C723B02962992AD17DB1618BAB,SHA256=424B494DDA8492003E33B5E05CF8E959D08B6A7BFD4F9CB28F986C2C4A2E27F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39E8-63C5-DB01-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39E8-63C5-DB01-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39E8-63C5-DB01-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.183{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39E8-63C5-DB01-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.183{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39E8-63C5-DB01-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.183{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-39E8-63C5-DB01-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000014813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.059{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39E8-63C5-DB01-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.058{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.058{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.057{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.057{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.057{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.057{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.057{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.057{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.057{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.056{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-39E8-63C5-DB01-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.056{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39E8-63C5-DB01-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:00.056{312A7A06-39E8-63C5-DB01-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-39E9-63C5-DC01-00000000B002}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-39E9-63C5-DC01-00000000B002}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.270{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-39E9-63C5-DC01-00000000B002}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.271{312A7A06-39E9-63C5-DC01-00000000B002}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000014822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:01.254{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C858CF9E79CA44A175C59337BC7BDE,SHA256=39D4D9C573DA0CA5744F0F417F61CF9E283F79E794E310A4A357334BBAC8683F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:49:59.610{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50019-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:02.348{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE6DFAE10D743533A441229BD51EABB,SHA256=C30083BC64E78171E3096043AFBB68D8BE29102123852CAFF75616EEC6E0E938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:02.348{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC5B859C5CAE4389DFB9361B2E1EE340,SHA256=123CD63E19312965FB070D3539662E5342C19F72222D1315395415C81B295A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:03.350{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A70F854551ECDD8EF5F567F6662AF49,SHA256=3DE1C3923C340F8010EB5E066D7132396B5D0DB95524972F6CF961A3524DC687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:04.456{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2944340FCE45C2E094CAE518FF81E6,SHA256=1A9CCE99134356E12BA9BB25DB83C2640D97294D55FE80F34DF2FD3CDB7EE6C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:05.556{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B000272F54E20B8D99E8C1DD30A0C506,SHA256=076E711B451ED602C21C372CEC818E18BED9832BA6DBF607ECC9A91E6212131E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:06.639{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53AD7C240F2B32EAD36884D96214185,SHA256=4B4A617D5B8EE8DBCA37A78D3096D2683F6B39F17A46EF1D5C9495BCEB490741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:07.737{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E08916A0E4DF8C5F0509AC202F22EA7,SHA256=24DCFC382006BA8F797018508FF867C908588230A4493D394DB18A50629BE4DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:08.811{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10767836AB84A0B0C68DF66DD6C6A750,SHA256=0C7638C894B849C9666629C8523024856AC78C15994E30CD6E2FC3AB09BDCB4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:09.995{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:09.986{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:09.976{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:09.966{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:09.951{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:09.940{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:09.925{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 354300x800000000000000014845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:05.514{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50020-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000014877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.169{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.167{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.165{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.164{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.160{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.151{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.145{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.143{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.143{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.139{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.138{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.136{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.132{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.126{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.123{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.111{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.105{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.091{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.089{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.076{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.069{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.062{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.045{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000014854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.039{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000014853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.001{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4229F2157A6E71AE46071BC9394F4B,SHA256=1F86D35B28E6EC3EA06CB1014C098B8B9531ECFFDAD047942538C5F2A8EE434F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:11.375{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97ED4025E30AAD91DB319C6E903F373D,SHA256=7E0E049CA0DCBDED68BF9096E2F2E0553A4C51F5A1BF42E1E21CFF608851E0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:12.410{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA2DC3E56CF5BA3F9A7E3D0088480D4,SHA256=5542D59826A48F41BF5F83E07E1E391DAECDC59842BE1ED1E53AAB292B104648,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:10.563{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50021-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:13.499{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720438906F1BC419C227C25374D0E801,SHA256=6F14DF34E67B80A4F3328AE451AC2961087D833452C073E642ADD3C7809F00F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:14.592{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B869802A4B793F78437897225BD6C7,SHA256=95269408FF5642AE7DF6854E87F613A6BF57DAFB9646F32D298734F92A6B7431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:15.689{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A4314E66B3F31E4B8122C56EE31C48,SHA256=3B890CB65BD71D12EDC5890E2A6396144B6F89A86F6C465BE02FA7A0673DDE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:16.784{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD1E0D2E003AF950EEE41689A3C05E7,SHA256=BCC7187B315B1567E368E4462362B9A326C7748DFA4AF6B512E0E60C99752DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:17.897{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922B348B175A2C990C8C6B745EE47223,SHA256=0BC32150339CE1140AA3CB49DB4D30817732DFD0376E77CEF298D1E18661CE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:18.988{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA1A8105702CC1899A877425049D775,SHA256=CB1EF31A160B53A9F8D7EF9A6EFDE56D149144D38DB14E29C69DA448872524FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:15.612{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50022-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:19.002{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:17.359{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50023-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000014889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:20.076{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815578828CB054141F19E38D496740D9,SHA256=80A2CE1E3DE36F55770BDC521FA0DCF1BF3B357E994E0F1DB127A4E49C5DC89F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:21.157{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D85D1E9C1620D1D2CC0F3AC1D6448DE,SHA256=B341B92C3B88527080599A8127F96452EBF1713009FF9292875166455450B3C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:22.245{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5867E654CCFC42C58AA388B51184388E,SHA256=17869A0D1A347E28A664BE1BD01E5429BAADC644697DAFABA12120F1F12C5F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:23.332{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8517ABFCE796AE3DB265BD29442FE09C,SHA256=EA95CE4905519069B3373D7270F115DC88BFF285F2C2AFED10A3F66BA5D5A552,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:21.547{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50024-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:24.426{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F549B8A68E00E700FA08A4ADFF537BA,SHA256=3216DFEBC9ED8195F3A19B5B73D36B54325A079F53D22B2715897FA00193BF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:25.520{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A1F38019ADEEABFBAB25D0CEF86D23,SHA256=03EF2E53CA445AD884E744430CA027F121450453D9EC05F450434844FFE60B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:26.610{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C1028088A98BCCFACD53F9E3095A78,SHA256=30E7D5B659FD111B000F70CED0368DE64797AA46032FE10B260CFF6037AF47B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:27.812{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-027MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:27.699{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84A5C8373C219137E01D2E0E33A33CD,SHA256=B084AD17934EC20EA22CD4DAA1525E2D804ADF6628AB15FF05049F31E804D89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:28.814{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:28.781{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8212B32D5D10604A7F15357CE294EBA8,SHA256=57316D128CD47B7750DFEE2BB0E14243431E4C4F4930995458DCB2D1244D6345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:28.576{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C36D84D1997EE65F6D836572BF06CCFD,SHA256=65CBB26DB40A60C82CAB017B9CC5C7586D08B8FD560FE27B20E9816F5C14BDF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:29.997{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:29.990{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 23542300x800000000000000014910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:29.976{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437587BA8ADFF12A63CBE8072232E777,SHA256=FFD13C41026DFA7AFA65750A76C24E3CFC0E368D6FA6F69FE8A095A452B12832,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:29.964{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:29.957{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:29.949{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:29.943{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:29.936{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:29.929{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:29.926{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.116{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.114{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.112{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.111{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.100{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.095{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.093{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.092{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.091{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.088{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.086{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.083{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.078{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.070{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.065{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.056{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.047{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.031{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.029{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.021{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.015{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 10341000x800000000000000014913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:30.008{312A7A06-3346-63C5-1D00-00000000B002}19963004C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480610) 23542300x800000000000000014936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:31.550{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969C6B11261EF6678CF0CAC72B276569,SHA256=F15583EB23497A274A159456FFA77E5DB9AC72DD46BA5045788881152E4AE55A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:27.509{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50025-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:32.249{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D406D6E4A395DF4B5E33D121E7D692D6,SHA256=A083899CDDEE307263C55F95ABE21A39ECFF3997CC5D7E1296F9CFD1F1D24BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:33.346{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246EE0E75585A82EB57E0B1DCC576A14,SHA256=7525C2AB0A60A7542623C4103EF7C2D5A9308E70BB81FF1809727AE73D0CD1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:34.456{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5967B11DADA3363A8CCF0CA8FB268BF,SHA256=FEDE6957C08D343F963E0CDF94D13403C0131B1C29F5CC83C8BFDAB7EC70F2B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:35.541{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CF19D6FD7488A65221F064121523FC,SHA256=56C72FB8FE1C00E714B195BDA740CEDA26F838F86628531DB134625070B82905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:36.631{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6537EAD86F42F9132492090343EA46,SHA256=0F81ED698CBB443447C41537DD6F1DABBBECD9E5BC2F07EF8356231AE725E94A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:37.727{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BB5C702A6FC5BEF213B2A1DEF4D640,SHA256=D625FB2A209985B6564759019D3B51BB03B9C171332C88D816EF30E0318969F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:33.514{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50026-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:38.810{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA59379D4D6C1B1A9CE4EA396CEFB6A,SHA256=61E6AD7ECEA4BC0AC3C158C48B4E92D7F77F9E4976D67AD5CF6839A19A73F0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:39.900{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF0F07759D9C490290137FE87D9AE99,SHA256=93E14D1D47A9228EC6DABA9E748D60171208A82212DF7C72E0FAFB3C44D7DC28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:40.993{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF621370186E0AA0AD211584532E235F,SHA256=9F26FC1FEC1083200A7387E8990E1CFD30CAFF7CD973E6E4832DBBC7E97635D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:38.629{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50027-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:42.079{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CCE511579B8078B7AD12C53EC766A3,SHA256=B90EAF5D33AC72F81C700BDC3831986FEA63DD7F63922CD2DC5C2D27942B34B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:43.826{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=436BB6D3D91BBB0040C5635C1B7F28CC,SHA256=2AE52422100B5B68EA6B8D60098DE694032A7B4282E78B560319EDEC0FC69BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:43.169{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA2D79AF1B66B308EB7341D77115EDA,SHA256=EF79B6276A2B56E457CD0DD4C7CAD151B05C93F7D23AEA73A76C7B783F587DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:44.259{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4A1C0787304C0C834AD3A9E30F2444,SHA256=0187C43660E3F543851FC600B770C78507C95B18C43803C148520EC6F4F2CCCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:45.355{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BB50774C6F265A81EFAD7672AB46D8,SHA256=79789077ABAA4D957CDC08D89A9D54F8E361FCF34B2C6601AF74121A0075BC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:46.449{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4D75FE4C6F91A43255BEE29B7D24B8,SHA256=63ECE33B724CEAA8BF19BCA434281A8D9EEA83844CCCC87D660E12937CB700D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:44.445{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50028-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:47.538{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C611A8E51D74EE7A7D9417E0D8ACB2A1,SHA256=2D69460BA6462167314EA57092E520A949ADAE5A26772F06007542EEFF7F7072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:48.624{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4691A04C8F99864CC9E0B1B584BAB4,SHA256=5A29D402A367DDB7D3E3C72871A5ABB1E9A0F3BE1945D6EBBF2E8171B77EDA6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:49.990{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:49.969{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:49.961{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:49.954{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000014957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:49.718{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DD626E08C719C8FC9DEC8B41F8A37A,SHA256=7EE704BBF783259687CB4579F4D7CE2B003EF4661C05850B26CBE641ADD85596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.822{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38FCC1235E3CDC5B730EC34FA6844D72,SHA256=F8CE00740A86F2F7A3E08019C4CCB9C0836BB6ACE6DFAD88F50286CCC4CEA171,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.172{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.169{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.167{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.166{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.159{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.152{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.148{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.147{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.146{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.144{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.141{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.137{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.134{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.126{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.124{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.118{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.109{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.085{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.082{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.073{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.067{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.060{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.052{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.047{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.016{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.011{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000014962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.002{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000014990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:51.901{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D57FA4DA99ECCEA815225649802B457,SHA256=AE64DD23C9DDBE9C4EE6FBA8D60D802D513B95853EB923DC82250993EE6D0354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000014995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:52.991{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4DDAE8F0D87183DE9E6975F7DCB2F43,SHA256=9E438373CFCC792BBC4604AC3367D8E5BC68C9A39A8362F42D76252BA42E2F7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000014994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:52.924{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:52.924{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:52.924{312A7A06-3345-63C5-0B00-00000000B002}6281888C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:52.908{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000014997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:53.970{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E99CAAA7BC55D7F1ACDA6F158C0155,SHA256=BFFA605D557B0AC012A1CEC0EB4DF423475D0C19805C103C676C8BFB45E0BB21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000014996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:50.414{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50029-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000014998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:55.059{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1BFFDDA369C182BDD8799FB8F63805,SHA256=6EF35F7B4D3DE14A75DD6AF7CC8305D3E1E40D3F2EA5A63EA235C6DC06338408,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.814{312A7A06-3A20-63C5-DE01-00000000B002}31442768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3A20-63C5-DE01-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3A20-63C5-DE01-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.658{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3A20-63C5-DE01-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.659{312A7A06-3A20-63C5-DE01-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.142{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D904051F7EBBE553C7BA283E3BFDC67E,SHA256=96B09771413623A7057720E633C23282553C437D52B52E4E4393BF5FF77BBF83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.127{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=70C3C009A35B1B6308EB351B353F5900,SHA256=AD54DCA44034703D61FE0FF6DBD0FC5D2667222ABB73F642D5935B5429011687,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.076{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A20-63C5-DD01-00000000B002}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.074{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A20-63C5-DD01-00000000B002}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.074{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A20-63C5-DD01-00000000B002}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.073{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A20-63C5-DD01-00000000B002}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.071{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A20-63C5-DD01-00000000B002}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.071{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A20-63C5-DD01-00000000B002}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3A20-63C5-DD01-00000000B002}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3A20-63C5-DD01-00000000B002}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.010{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3A20-63C5-DD01-00000000B002}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:56.011{312A7A06-3A20-63C5-DD01-00000000B002}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.857{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D6A8F60EEB4CEB3348E87692783DE941,SHA256=97256F45C764E914CD6AAD2399EF669A51C809DCB61F19A1B1F1E32E184C0C84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3A21-63C5-DF01-00000000B002}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3A21-63C5-DF01-00000000B002}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.324{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3A21-63C5-DF01-00000000B002}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.325{312A7A06-3A21-63C5-DF01-00000000B002}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.123{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AB4752E9C807D2A549DC6BDD0D0C0F,SHA256=B369E8264D3C8B2EAD1B81DB2273936B32BE091A57D0F42B6393F100801A8C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:57.123{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18A493B06C7509786ABA78A18D21C08D,SHA256=353B32C752ABE6A67B766214C5612C27BCB4652A4662D9A35D8D5F1CEAE7F51E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.844{312A7A06-3A22-63C5-E001-00000000B002}12243984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000015064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:55.452{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50030-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000015063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3A22-63C5-E001-00000000B002}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3A22-63C5-E001-00000000B002}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.687{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3A22-63C5-E001-00000000B002}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.688{312A7A06-3A22-63C5-E001-00000000B002}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:58.219{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297D1642216CCB3B7988ABDBBFAB3977,SHA256=8341848FEAC7CCB1516DB9FA118934200144513708FF005CF20F16BBFD1F6C6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.636{312A7A06-3A23-63C5-E101-00000000B002}31321124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3A23-63C5-E101-00000000B002}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3A23-63C5-E101-00000000B002}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.448{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3A23-63C5-E101-00000000B002}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.449{312A7A06-3A23-63C5-E101-00000000B002}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:50:59.308{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864F5C9B71C420BD56ED002DA5B93803,SHA256=07D92B8DB303DE4D24EB37CA1DAB734271A5430F999C1FA2BAE331B7B9106495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.552{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F28F2041E168C4593A826C70FF3F132,SHA256=17FC4599B128885D5CD976D3385BD5D1557AF10B7B7D2C0DA0ED0964A711C7E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.286{312A7A06-3A24-63C5-E201-00000000B002}29602948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.199{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A24-63C5-E201-00000000B002}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.199{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A24-63C5-E201-00000000B002}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.199{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A24-63C5-E201-00000000B002}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.198{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A24-63C5-E201-00000000B002}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.198{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A24-63C5-E201-00000000B002}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.198{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3A24-63C5-E201-00000000B002}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000015093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3A24-63C5-E201-00000000B002}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3A24-63C5-E201-00000000B002}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.117{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3A24-63C5-E201-00000000B002}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:00.118{312A7A06-3A24-63C5-E201-00000000B002}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.602{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D68E55E8F903AC83DEF8A9EC1E04F1,SHA256=A0643AD3CF05286F24A92A554046B51B28D28F9755BFCC1CF732CE91B2FA01DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3A25-63C5-E301-00000000B002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3A25-63C5-E301-00000000B002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.274{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3A25-63C5-E301-00000000B002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.275{312A7A06-3A25-63C5-E301-00000000B002}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:02.694{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FDE9EF4C174118E6002E3F3C7E9FA4,SHA256=22743AF2B415EDC348AF4609015104F8FFB83ACEC3DB7248B4B3D220E89242BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:03.787{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789283B06A709D998D7B499028B72C52,SHA256=F958783EDF8C41F034CA7BD16F7A6459C60553F5DA668B0B04A92DF8AAD9F6B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:01.455{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal50031-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:51:04.901{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF6673433263B5A4A796369C5F27CCA,SHA256=9127143F01112FD7016ED937F48B8841013EFB127E3D7A1D393B9032C41F8D98,IMPHASH=00000000000000000000000000000000falsetrue