23542300x800000000000000010960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:06.674{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA598E6D3CB2BA3118606ECF6F8AB369,SHA256=4DB9A96D27F860412E48E160308539CC2A0A44572EFBF98550D40FA841C6C89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:06.650{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78F84DF37163463496D6203605290CF,SHA256=21BC0312DBB90A74E429D37E9B9993E533C9E7124F7CB3C921C8BE00F0B0D550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:06.403{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-013MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:02.473{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49854-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000010962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:07.745{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD751191CABDD3407CF5B0DE78A2D58,SHA256=3E7D6295A9B80EF67E3CC1EF9EADF450C477768190B178E474653AB7FE1326BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:07.735{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8B6BF841D2CBC31278AD8EF26933A6,SHA256=8358BF7BEB779ADF5973C1F77A226715AD43735D27D5C39EEDDE0A567E59A45E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:07.404{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-014MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:08.834{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BCB8F538C8E49A57C67F913A021FEF,SHA256=8176E980050CB1769E63537B8D164B62CBA1806918B62059783398F5DACCD17D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:08.821{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07921783420B046AF4AA0CC26682D8A,SHA256=EF5B1E4D4EE4273D669C536166553031D0FA1940741F1D94CEB3E02E7ABB1BC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.995{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.985{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.973{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.961{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.949{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.921{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.916{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.908{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.902{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000010967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.899{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E7BBB4E3E8B35F275E0027235D9BCA,SHA256=E08306852D69DBE4492C29A52C79B780E3FE8A26DCC1E497914A9DD49713D63A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.891{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.885{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.883{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.101{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-35A8-63C5-3501-00000000B002}2596C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.099{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.095{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.094{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.089{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.086{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.085{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.083{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.082{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.078{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.076{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.073{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.070{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.062{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.059{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.050{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.037{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.013{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.009{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 354300x800000000000000027242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:07.515{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59193-false10.0.1.12-8000- 23542300x800000000000000027241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:10.037{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD19015C3464E05BB71A6A0BAB4F8BD,SHA256=1B0E21A1043E0BB6F8C3FBE5B942484546FA6959D72A3E6E5D562BEF24A1581B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:11.472{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BAE1D5553E0353BC89274D7159C9C1,SHA256=B378FEC3F412A17DB4854885F031EFA5A6E647D63E89A0C46AD0287118D5ABA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:07.653{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49855-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:11.139{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA93EC0752AE194B464DBB72C66F709F,SHA256=339FEC1D61EC2443DA9AB0623504171E058B5372ED337571ECBA2C0BF9A0CAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:12.284{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BE42A538ECAAE177CBB1A4AD1E8528,SHA256=DF41EBCFCF6E2791F623398608266B91347384E5B6BA60D1C58585EF241E47CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:12.239{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B009864C6CDA4407095B8A9D89E66FBE,SHA256=9D5B7388EA19AEDDD5298A3952CFA9955904319B30E9626B242385333D6FE4E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:10.227{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59194-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:10.227{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59194-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000027245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:13.341{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6BF258A8C99438B880D86E7DE80D03,SHA256=EDC6A65D4FD71C278B4D3D8EDFBF6DA154B76434032DC668A392CF6CD975B6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:13.361{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080C67A900B181E3CB9D644070D44CAF,SHA256=AF436FD8720457032D427EBED7E7787DB5FCE23AD8F497B6D0B33C3772F87E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:14.436{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C178A6CD1D6611B680C56A55EE892A1,SHA256=F1A7C259FDD5A4E9DE9C2D4A06632B7F2CB3B87D19056753E6E2FAA05C267BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:14.433{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EA6908E0013E792CFAD6793A9D75E6,SHA256=88B78C66449DDC71F787DA2BB23EFF764CA20546A314B6264D4E3A2928B3F8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:15.521{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030BDB1639C1DD54B77CD2694FEC118E,SHA256=24B06F874BD3A2EBC4F7F15423171DC847BD4C92DB48115B5D19B9CE18BDDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:15.537{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6C8ED164A1CD7D07E0A5245CF5DC38,SHA256=D483E517B8825CC2A7590592ADC046A6AE0ED17EB70E506E513D1E5469C2CDE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:13.599{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49856-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:16.607{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4F1B4B546A50114A4ECC6968401DD0,SHA256=BFA17A3AFF874BC5C971D7E0508F99FC8F48A5B1D496CEC362ADAED8BAB2E296,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:13.513{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59195-false10.0.1.12-8000- 23542300x800000000000000027250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:16.635{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA7CCA5E19BFDD98323E75E9A0C1BCB,SHA256=45336F7D0E3887924F15BFD059D0DAF59C322FC39CF018008382EBE416F50FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:17.698{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9EB4E4046B465974AE2CEC1549F771,SHA256=FA55F0DDD57A67268FC072BD4611D8AE77DB9A54D14676C29FC4E176556A5DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:17.736{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EECA121B3A0712B1F3D9A15466FDBFC,SHA256=B0F45C3E717D06CB5C879BB7C28D92D5DC2879A5278E8D9E5EF18FC20117B010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:18.772{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D626B4F806F0895A168A7778CAEF90,SHA256=31E0CA0A1063B4805D9F808F8FDEE80C131E91C75AABC1C1BEE6BE7ED5EF42C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:18.838{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C1C67757B2F81089209F003BDBD915,SHA256=0BCA09C9FA2F24E00970E972A94B8C1BC003BC455BEBB7F028F653E9CA9FC56B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:18.662{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:19.932{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113CF1F30B8BB42FAE13B1120D8E8729,SHA256=8ABF5E73F7E434B72637CF961EFC811A01F02F65B5DC847D3ADE38B3FDD4318E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:19.862{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199A7D63B4007C8072DB3E465B3B37CB,SHA256=95A81855CEB1AB7C857F9833F46AF5E7031F9A7A33B61F34A898AED34821FA97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:17.060{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49857-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000011009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:20.924{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3330A62D703ADA0D76F591F18C34830,SHA256=B55C384A7F67F553D990F33A022D2B3F32994ED41671135CDFD75DCF6603DEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:21.997{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB9F4F141AC182F11B359F5428FAF95,SHA256=8D9EBF40BA5C5DD1D5EB8040E626962CEF243641D0A86C42E9A3483A9865C779,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:18.671{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59196-false10.0.1.12-8000- 23542300x800000000000000027255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:21.024{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43E5AB93EE36551E3C52E76D1D9394B,SHA256=554330E8832A08D6F5FD7C390FDFF4D960C970E095C7E42E9068537FA673AC90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:19.556{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49858-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.613{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.608{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.274{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.265{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.262{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.261{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.233{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.221{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.212{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.206{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.200{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.171{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.163{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.153{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.147{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.131{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000027259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.116{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F3C23CBE103582EF22F1F7DCC1DA32,SHA256=8C411FC6844DAF7EAB25CA78ABAD70B6B2E291EC8C8441BF9857463FB3FF9784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.100{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.799{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000027287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.546{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.170{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4A8F9DD589A76A4076053CACE9806C,SHA256=31B359E13BF0104D1CC58AE1D9889DF0F0776819A40830988C97AAC2BAAA2683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:23.063{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDE1984348974E8C25AD58309391580,SHA256=E2B7D1564B087A5F878D39BAC07F973F088F76C179870E9320DE3D57852B8EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:24.143{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BBDD2482163C87F48EF6EE4D429157,SHA256=5D97332990E5804C02BBAFEAD6936014CD6D295579D6EF9DD3A3E14BD854DD95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.899{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.899{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0A541BFEE90E6264195A4A86A1831E,SHA256=3A0F3F710CDA9661ECFE8B571F3B43973110FF84320B192CDCDACE35659E68CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.896{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.896{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.896{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.644{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.643{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.640{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.638{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.637{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.631{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.394{FCCA13C7-36B8-63C5-4805-00000000AF02}51363960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.269{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF999587433A7F62CED2F4BCEF70EEBA,SHA256=6A8413B9EBDDA6438F273A9F5A4A59EC6275100F4102C8C67C29FA48F37ACDE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.238{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4A0DCCDC43B45579D88DBCCAC61C7299,SHA256=039AE728C2E391E122F0AF3C2BA209D0066F13949D7FB4FC654B875E788333AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.098{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8E4DAFD274512A485C5991DDE4DC1613,SHA256=CE310C0AF470CA36B96BC3416EAD95C6DB3DA4D7B04BA9793FE1D55D355D7C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:25.235{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591E0DBA04B3A20C6B13E7A018FEB68F,SHA256=AE32E8E626203A1BCF2B2496B9D990517D77BE240034E8FDE739F81F8A22EF42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.745{FCCA13C7-36B9-63C5-4A05-00000000AF02}61767104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.563{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.560{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.560{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.558{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.292{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C409D893FCB84973F14E3A144690CB,SHA256=1665BE9022AA900AD0EEC1387DF18376263041A413BA1CEB30671115B94939C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.237{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.223{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.220{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.189{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.171{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.170{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.167{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.165{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.159{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.158{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.157{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.156{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.553{FCCA13C7-36BA-63C5-4B05-00000000AF02}65006804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C62F49F0231036B892D9D62D5F09E7,SHA256=A08B56FAB220EB5C03EDD210A385474D4B9D089091E0752F8E6BDD47E959395A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.351{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:26.327{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE43497A38BAB31067DEF2F111CAC3F,SHA256=A7796E935F24D5246B57EE767ED3041DBEC1054481F040F9F9C692DBE732B2A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.277{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59197-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000027344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.277{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59197-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 23542300x800000000000000027365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.440{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355392B77B42D12BD4C8D863A5A0AC3E,SHA256=1FF0EA0EB90843B200F5BF5C57631EA9EF9E2981432731F0D2A2133317300EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:27.417{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CABD241F934A1CCF64E08833A8C9B3B,SHA256=515EE87147CF1ED078ACF3348AC2B38107A2325A2C17377915502CA72E6624C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.216{FCCA13C7-36BB-63C5-4C05-00000000AF02}66126952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.023{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:28.531{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBADE6D73021DB8F91B8EAC5DF41C8D7,SHA256=A5181142231935F15E2D73D7EB938F8B8BEE2A75FD252B4DAE872F5CB1F88937,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:25.515{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49859-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:28.500{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020A433416B7BDC39D249DD8AA665657,SHA256=287935AEDE81F60B1520C33C2C1A8F0E255A485CD7B858855B41511811355C40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.509{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59198-false10.0.1.12-8000- 23542300x800000000000000011018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:28.219{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3C68F3B941A6C8ACCD2714F132736C3B,SHA256=B9FF410D0DA9E7BDD30AC4543482B2EC31A07D9A5134446F158C67F4411BAD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.602{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F176912BF88555C682B282FEEB2BB22,SHA256=A632A3F7201F030695EE54C96F9067C11943857D714155AE93FAFD21018CED59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.993{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.984{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.973{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.963{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.933{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.928{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.920{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.913{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.898{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.889{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.886{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 23542300x800000000000000011021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.576{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606C332CB57568B972260836DAC321F8,SHA256=AC219E389206FDF414D6E88407B3ED7A16359938F9F98F04908E89B95F90B830,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.049{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.696{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFF3FC6A7D8FFD853F2502EC5AA8BF9,SHA256=331F7628DDF33CCF7C0465D1FCAFF58B0B0A1B8573883DCEADDA8327873E98A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:30.702{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294293942F28EC5C6E74FE634A47408E,SHA256=EF8BF955DA5EB3C47F69452D4DD0F3E323A203D24170201F4CE30B6D0A490186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.089{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-35A8-63C5-3501-00000000B002}2596C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.087{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.085{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.084{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.080{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.077{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.076{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.075{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.075{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.071{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.068{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.067{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.065{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.062{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.056{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.052{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.042{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.032{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.015{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.012{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.003{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 23542300x800000000000000011055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:31.974{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E7D1143858CD1DD89D4E03A9456C92,SHA256=3E1A596077838CB3939ACAB46891B98CA4C3DA7047D68DC561BA68E06B2E44C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:31.789{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805B28CDFD14AB51662ACC718597C9E9,SHA256=FE4CD20BE555825D6FE733BE0DEB800FE5589B3DC6402CE6C12AB4616A294ABC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:32.917{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:32.855{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D74F486E4123CE07DF933DC832C953,SHA256=6E6BA8C61189042F3EA99EDB849152F9AA2A924668BF72DE04F5A2FC9CEAB6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:33.960{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB92A6A9A615EF8C477DF5F1B7AEFF0,SHA256=7772B223B3C8CC6AA3F9A8AB5D8D97BB3C110BE9B8B17F5C353B1CAFF5E47170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:33.037{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F0AF82F2B86D26A587CF0CAC09F895,SHA256=C2A20F5896E16ED1150E0CDFB760B66A5EC99B594EE2347688463D8B7B253878,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.539{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59199-false10.0.1.12-8000- 23542300x800000000000000027383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:34.809{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-023MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:31.431{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49860-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:34.124{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1055D72E73157002C9F5DFAD12AE3E1,SHA256=A6041DA89FFDEF3CC112A08E9B963C9F170E4A41877A56242DAFCCB138C1DA16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.936{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc" C:\Users\Administrator\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 23542300x800000000000000027385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.816{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.078{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D6E6E4FB82C3C4AB177D7A8C667A94,SHA256=0C1B908216E31BE7F429920A102787D94926C97E39804CBF0BE8DFBFE548F132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:35.192{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B238AA1BB222869C7B1FC8163B4F7EDB,SHA256=F9A5201F9ADD06C13801861EA734CA577B364A04005D529FF4BE0E4607FB1C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:36.840{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:36.840{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:36.280{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269A0B85F39EF9C3CB0C7B97CF5233B3,SHA256=02784D6021634AD9FFB30C2A3F6CA515DE88F6DEF8B0C01891CF843B81EBDFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:36.280{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CFB0C7CB8EE097804C12F63AF51D5E,SHA256=54A54E342EC01887F037E61F13AE92A2504A52AD85EF4364A17AB14C7287F756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:37.376{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B0F041A005BBAE18356AF3A9F7ECF2,SHA256=45D8A52B53C8714CB5A26DB74ACE0BC9E53D55505F9317FF68F3987B0BF285E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.377{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C80E9ADDCFA53E901C8B4229A7DC10F,SHA256=7E446E26D35BE4C86320D1B4FB764FFFDCB6BF69D533BDFC9C7579846ED0D121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.362{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.362{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.346{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.346{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.331{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.331{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:38.434{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BE5237A226D0DB7816D64FED318CB3,SHA256=0D7122F68165E76B559F255F289692DE4C2244DC15A8EC003C19739BAD0E791E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:38.350{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFBA9F2E3405BC17012639C0B0804CC,SHA256=47CD27745CEFEE1A15A02E54F98B0742E1BEE01631F1390F9770E6AD02D95CF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:34.647{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59200-false10.0.1.12-8000- 23542300x800000000000000027401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:38.209{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=305CC5275EBC68A9F1AF8FE344588D0E,SHA256=95A62A74E3F1139DA2C858ADD1C39B94CE9488BBA7876AB750F07BB38A274639,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:36.623{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49861-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:39.515{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B186A1FAEC1CAC22C29B05BE90A9EB,SHA256=1A7FEEB794142EC63E7C7890308ECB85185CECC951000AF42624A9098D1A3481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:39.453{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE946EB83C6F2E02097AF5D6C3A737B,SHA256=5EE536F23A8E4014B47E1C57ECEAAE2B791E30C00648E45BAC112EE4C3A392CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:40.594{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415C56EC7981C6F4326A842D927D316C,SHA256=906A495FCA5A5190A3D78B6A97FB8DAFE534A05602FEA31AB1E6D88DB4EC6115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:40.541{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA1C2178EE8475E25DFD2DCB9330797,SHA256=AEB5BD2AF2AD394CB048FC02ADB0A71B48600D074EB826FDBBF06C277E477896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:41.674{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D535E8D6528F5C70D4611E1FA9D8747,SHA256=77C0E47A5460DAF54925ECC3E3680EC924FD40724732E047EEFDD2935A716B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:41.636{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AD7EA69DAAD9D62C906A74DEBC6E7D,SHA256=829620ABDBFD2EB5C01B06C06FD02F6769B97B5B8857D93561E7AA81E048876E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:42.756{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226FDF575B96030DC7FE4CD92D0B6A13,SHA256=2D72C7169360303C2736A63F278280D4203E183C8A58451839DE08B9CDAB56B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.687{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5A35E7300317B8104068528154BAD2,SHA256=467BD280708547A80A7622F617CA2EC98F239F829378E4815AA6B4EDF97DC9A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.566{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.561{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.259{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.253{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.251{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.249{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.221{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.204{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.198{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.193{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.160{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.152{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.146{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.131{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.099{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:43.829{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68075B2BD7FF8DD98E7AD374AB04F10,SHA256=BB53D4AE2B47C62155A620D52F2D418662DB6B79AE39B15298C6C9095AA7A85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:43.869{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=76C883637A4F73671B74E9F16481A76B,SHA256=526728C2339DCE67E2FC84D37CEC1733E1AEF6E1BD9A40CB906F6E8D3D5DA7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:43.790{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC063771E9FA56B86DD966BCACEF173,SHA256=4C47EC2F37A22E8802F6D8C3A6FB3F9549C795E54F0E1CA14257E73F0FA4EC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:43.688{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=981973F796C6C0EB2EB7DE03C239E69A,SHA256=D218F57F6076EF372ABB20F71F9EDEEB9C2CB1AA8745480613534EF565F06233,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:40.656{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59201-false10.0.1.12-8000- 23542300x800000000000000027438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.888{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0450475B4817D270C66A0FBF5FE3397E,SHA256=4A67CFCAB38E892BEBF3D701C99081EABC5D9ED2D5215D9FA6BD32E4734DAC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.612{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.611{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.607{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.605{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.604{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.598{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000027497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.990{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032575611C574A00090B93FB195001C4,SHA256=43FC5120229768AEBF4DFDC87372E7C9CEDAE4F2243FB19D354B46A9321522D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:42.610{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49862-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:45.018{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D91C62268400229195897F04041751,SHA256=93BD699F54FD8D2426E522A7702E1E0D50D13EEFE38D473F87A434C69E7FDFFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.624{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E0353BD86E4B24634A3F86DAA3CC74,SHA256=A800FAC9C664231834DDCF9862904C33B784630C1A04D81C5C64C4AE24B1F55E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.208{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.200{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.186{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.140{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.135{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.134{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.131{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.128{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.127{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.124{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.121{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.120{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.120{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.119{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.117{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:46.098{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C274BE59A5ECF0AF20E81416FA29BA46,SHA256=43B8D83B2AF9E9C49124AA7B30B1D8E927738C5E8205391FD3E0CB49017483A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:47.183{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF0AC70EBA985FC645780DEF68DDE58,SHA256=F03551B9C4905DC4332D85342FE7D5710BA60B220422D48E29B6313BDEC505CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:47.074{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300F63791DF67041CCBAC3958BF948DB,SHA256=D95012A68091926D31C1C76667C4EF1A7D5C06A8BCF591DAF24EBF3BE211F117,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:45.110{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49863-false169.254.169.254instance-data.us-east-2.compute.internal80http 23542300x800000000000000011074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:48.254{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D7CA76EBCEF2474C9F2409755496F9,SHA256=D94749D269670C1DA4DD39B3FE34B9B59817F5742031E001B98E63B5E9EC8FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:48.179{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-ctus-attack-range-221.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000027500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:48.148{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176C:\Windows\System32\mmc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x800000000000000027499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:48.163{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3807A410C3B5B46645E3EFCA0CF722F,SHA256=2CA56162B36818D371CBF9B844041ED8F0B5852055F2C864CDD8200AB3AEC2B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.998{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.992{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.983{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.952{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.946{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.941{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.934{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.920{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.913{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.911{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.329{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7815C63073CF0A823275ED1B68A7B1,SHA256=D7FF2E1BA16A70A727340E8E2F4DD48214FC840C48CDF6B5F56E25D60A6A0126,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.617{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59203-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.617{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59203-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.546{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59202-false10.0.1.12-8000- 23542300x800000000000000027502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:49.262{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B7519E7CB4CAE7E9C17D1135D48D9B,SHA256=DEF06AD7ABD72605D69054E9A646EDC6C2F7D14AD6F05174CCC6CE02D73F15FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.878{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC86BFC8A6B781052C6028FEBE438BF,SHA256=25584B222AAF0A94B27186903F36199868F52B3A0C0ADBA341DA99984B65A859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:50.352{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3754AC6694515AA787DEDC1BAD20D711,SHA256=BEAE5781B4920FA4F6BEB9124A8269BC85DCC76E494651C6054C33541F02A0BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.086{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-35A8-63C5-3501-00000000B002}2596C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.083{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.081{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.080{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.077{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.074{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.073{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.071{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.069{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.068{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.065{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.063{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.058{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.055{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.050{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.044{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.029{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.025{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.011{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.003{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 22542200x800000000000000027506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.634{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176win-dc-ctus-attack-range-221.attackrange.local0fe80::5d46:b69e:195c:9972;::ffff:10.0.1.14;C:\Windows\System32\mmc.exe 23542300x800000000000000011111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:51.987{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0221D6B8F02C4A3C7C81C7C210D04198,SHA256=138295E1A1BE546553168BC0998E76F936F72B71CDEA64DAF06B8D5D9E368F1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:48.564{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49864-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:51.450{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26445F231BFB919210791C19BE613461,SHA256=1DEEB6ECC91F8E623189DF6BF2DA2BCCBC0E02A32403AFC3FF4623214AC72905,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.944{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.944{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:52.533{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EA27A2959274146589FDAD6B01936C,SHA256=B113D6FDC335AF913561D718BBDA4EBA29F6CA33399A7D13AC41C82F0260DBC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.928{312A7A06-3345-63C5-1000-00000000B002}9442624C:\Windows\system32\svchost.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.913{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.875{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.977{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D5D81DB9EAB2AC1F9FF9CB9557F2E16,SHA256=E271B6A18D245981FFB5C06BB0CD5C5875DA8DC69518EEC543A87D3A55E27E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:53.633{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68ED4FF0CF6DAE8DDA0C01B378B3ADE8,SHA256=546971CEF1977A1AC26D1B591FEA14B9D890FC3039ABAA78A59E1AB2C576D458,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000011141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:36:53.618{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9299e-0xd4d11968) 23542300x800000000000000011140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.274{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0AE4FBBF1E79C8BC98CA3AE091949C5B,SHA256=F9B1155061621DB7A8BF0D06260844F44BFB4CCD37A4932A67F9516A63AA5F40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.185{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.185{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.185{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.182{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.182{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.182{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.181{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.181{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.180{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.179{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.179{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.179{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.178{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.178{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000011122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.051{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE4E9BF10352ED6BBE1255DF59ECE89,SHA256=D3E40036433B6FFFFE212CEBDE7A1AAD974DEFA7A69B3D612272241AB46C4BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:54.734{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7711CF7A3A85AE0EFF425BE82D717A63,SHA256=E96DCE7ED36C6D5875FA48125E2CEA43E2990E1358746A5CFCA31BC95E06F8E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:51.608{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59204-false10.0.1.12-8000- 23542300x800000000000000011143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:54.032{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD740E1ADB341FAAD0BD577B16D83CED,SHA256=4A044DBFD835FBE0AB56BD7B960079C74527CDDA6A9F32821D42120A762206AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:54.248{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=371F2F63D2075915472698B87D85F4D0,SHA256=6B1754D63F1638870CB14D7480C163A29C529B02BA4F2CBBF1BDEC4DAE1F7297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.836{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D4A317D43EEF84995FE1EFF819D154,SHA256=AE5824A97405B5F24A3154571A12C4730FA6071E619D00FFAAE81FD8C8AF5E55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.104{312A7A06-3346-63C5-1D00-00000000B002}19962540C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439150) 10341000x800000000000000011146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.104{312A7A06-3346-63C5-1D00-00000000B002}19962540C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439150) 10341000x800000000000000011145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.104{312A7A06-3346-63C5-1D00-00000000B002}19962540C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439150) 23542300x800000000000000011144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.016{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446E04CFC8B5346DCF72FA55196AF430,SHA256=5658B4992C64E43E0858CCD89F147441937CDF306597A5780647FFFE190C2514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8 10341000x800000000000000027525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8 10341000x800000000000000027521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517|C:\Windows\System32\mshtml.dll+117461 10341000x800000000000000027519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517|C:\Windows\System32\mshtml.dll+117461 10341000x800000000000000027518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438 10341000x800000000000000027516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6497|C:\Windows\System32\SHCORE.DLL+6387|C:\Windows\System32\SHCORE.DLL+62fd|C:\Windows\System32\SHCORE.DLL+620a|C:\Windows\System32\SHELL32.dll+d6b7a|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8 10341000x800000000000000027514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 23542300x800000000000000027530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:56.925{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC07541BB3E3B12BF82841E78D3ED4EA,SHA256=882FA8C7D509605E24BF9E20D6F4FC3A46E50378DB861903B156702FE5D2B988,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.941{312A7A06-36D8-63C5-7C01-00000000B002}26322768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.205{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.205{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.205{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000011161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.078{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6F187BF451D891EA4507B255DE100D,SHA256=17A50BC6A8E32F948DDC7BB0DE3A5B90453012BAD5A859761A124F3D0A4A847D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.048{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.665{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A5E2035533D27B8DBD113C292FC1EE2E,SHA256=E7670C7E2FCD3CC96727AA83501081B9AA073CAECD91A4B50CA9FBF3B5BAAE97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.371{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DF855EED734C5153060FE51CA91AE4,SHA256=7B1E59F436B4746535FF61763B7C36ECD7219F65932F623B67E85C0E50DDA9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:57.367{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.930{312A7A06-36DA-63C5-7E01-00000000B002}33683052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.790{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.476{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF7A75B254035B240C2EF3A2FCD61C6,SHA256=BAFB93719E20FD1B1C5829840C34B7F0F7F4DA389915FD98461A113107BC1B10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.843{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59205-false10.0.1.12-8089- 23542300x800000000000000027532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:58.025{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE88D193A7A9E47E7A2450DEDDCFFC6C,SHA256=07321D464C2D62B78EF361B2677E1B8B1783ABB4B25ED0A279AD49308FA90152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.367{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B360E3D4F67D8754C6A85AF5473734D8,SHA256=BF816C00979F2FC3E1D4660820517EA22FABB06F5DF409D4E6BEF8ED903D617B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:54.514{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49865-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.907{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8CA1735ABBB24AB8C08132199CFB13,SHA256=5FC61C1B93E0C1112D678EC072F3D3A85E62ABE490CFE7B8186E6BA1D3B960B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.829{312A7A06-36DB-63C5-7F01-00000000B002}32922764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.643{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.563{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19327FA8F5CCC88F09340B370BCB2471,SHA256=5CA203EFFA742BA10137CD9A869B746A5CFED80522747F71F461ADC5AD15B1CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:56.705{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59206-false10.0.1.12-8000- 23542300x800000000000000027534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:59.127{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E73ABF42857F1655E8C9AC0ED25015,SHA256=710D7A37D899781663D8A9B260194DF27B1DE6C53D70E134E62F9D5C4D6704CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:00.221{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F91743731C55573FC0E59491465C46B,SHA256=7D1F1661C910EDF2ECC384525AF149533458B83CF8C8EB27114E84E7A56A8250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.416{312A7A06-36DC-63C5-8001-00000000B002}10803804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.284{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.497{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.497{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.497{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.418{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.099{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEEFB3466E9C8844112D85465ED21A2,SHA256=164A40701B90317D258E2578654F1ECB340F42430AC07874F04B797D127390A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:58.241{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59207-false169.254.169.254-80http 23542300x800000000000000027537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:01.320{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F19CD38B81F991D3FE7D862D71D486,SHA256=6F87A59922F422B46DAF5368423356B83A59C048D3249E7CDEF4BBD9BC15DEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:02.149{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC7CAA7FBA9463EC89B1C23C71147C7,SHA256=42056C079729FB35DE06843D9A03F80DE4AAE88FE76C0F0485703CF32AD73968,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.770{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.764{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 23542300x800000000000000027558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.387{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD1A7EA55333DF5DC4CB97E2BDC23D8,SHA256=83FE70EBFC4013885422F0D3396AA21106195D9B294B44EB4A9C5A813FC464CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.346{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.335{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.329{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.327{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.325{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.323{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.291{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.285{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.272{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.265{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.224{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.214{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.204{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.197{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.188{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.128{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.120{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 23542300x800000000000000011259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:03.230{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08494E3B8D716231802F390979D038BA,SHA256=10B6A856F37731D6BC9303A27A34163BE90BECC9C16A62C6B8D7359368F3D83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:03.446{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25744F47E6B373E307F520C3BD66F8,SHA256=144DADF322835E151D23AF18AC29AD31807DBABA9FBC4F73F523E8BED0A8B6FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.806{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.805{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.800{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.797{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.795{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.788{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.570{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.554{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=2615CEB763846F8DFD72B910B7F259B1,SHA256=A3E8A5B5E6FBC831FBEA6D819B4A501EEB6013EBF54073DDC43836F8BCD9089C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.536{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BADB78ADACB3F06740D80C925F0F149,SHA256=057991608979CAF144ADF98C550554CF3941485DFF8AB866B515DDDE2EE6F875,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.518{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000027565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.506{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:04.301{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3BD3A818C420BD38264839F3A8C35C,SHA256=BFF5B6C4B9F1313914E366AFC82AB22A2BA760903856DD749FA3CAE5CB270F51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.520{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49866-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.427{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.412{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.412{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=2615CEB763846F8DFD72B910B7F259B1,SHA256=A3E8A5B5E6FBC831FBEA6D819B4A501EEB6013EBF54073DDC43836F8BCD9089C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.800{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D3010BBECC750A7EDB142B2673D9BB,SHA256=9DC30F4A4C52CDE763C60F2FF5E9A5DEC99CA81BBDB7D57F474EA58775F0245A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.800{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F74575FCB488D213D436EEBAFFEAFD06,SHA256=2EFEABC5D1F0ED4C87625C9F584DE9336587D3316967686846ABC8A79C2DA75E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.991{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59211-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000027600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.991{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59211-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000027599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.910{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59210-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.910{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59210-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.902{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59209-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.902{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59209-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.617{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59208-false10.0.1.12-8000- 23542300x800000000000000011262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:05.364{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3832C3A5F72788CE1AC273B47B0CCB04,SHA256=D997CC42C55D1E7CBA8F4C7CAC35D5444C44F5102F40780624DC801925CB559B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.432{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4951A7A1CBBA1EB571D0991003E29932,SHA256=4DD098EC59C495D4A765242F490F94A80C7CBEE928BBD6EC32EB0FD57B9D7F4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.425{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.418{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.402{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.399{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.367{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.360{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.342{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.340{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.337{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.335{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.334{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.331{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.327{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.326{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.324{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 23542300x800000000000000027604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:06.703{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8515AC131B2C314E0DBEC81C323B5F2C,SHA256=A114B97E2DBB94D9F6ABA424BE75A8A6BCBCEB45740F267CA64BD5B8488A1E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:06.445{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7A26B001E200D1473F1B46F5792A76,SHA256=5442A6E0DAA2D097C6755656520F08C40DF63563DDCAB2B8E28660FE62E06673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.800{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D80CB6F83DC176B6AB30AAD207000A,SHA256=026D2022F5898BE17401B32A675015EE59E4E8D03C88786BB45036258AFA1820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:07.940{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-014MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:07.524{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A7F0094A48BCC0118B14B11461C6E1,SHA256=6B20DE8317C1E3D73C850BB0E94BA359AE84BE6E8205BAB6D140793BB9F742B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:03.694{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:281e:18ed:f5ff:fef0win-host-ctus-attack-range-589546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x800000000000000027608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:08.979{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:08.979{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=D68C5A19358E1CBC980A7C2778252E44,SHA256=A5CF90880A6F9D95E3122D1E64735B8565977DB74CE72C2717C500238B8B8A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:08.901{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA33FC3AE12E48BF5BADDCD3DA964F97,SHA256=D3EA892583C5F84E72A8C486869E7B85A28410DD062E6FEFAC324172325ABAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:08.947{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-015MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:08.617{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EA558E0B284EBF5905A181CD10E491,SHA256=AE37D8A02A79F9E7464EB8FFA27CC52C1889092C98C63190D0AC5762025B6C66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:05.535{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49867-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:09.990{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38B82C2A1F7FF631FAC3C6A91333C67,SHA256=3DD2F888C4636578666D9DCDD790F9EC6E0300D4004398B02C082CA3D208CF7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.991{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.989{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.982{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.975{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.969{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.963{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.958{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.935{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.928{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.917{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.911{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.906{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.900{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.898{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:09.702{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28A0E275AB5507099F1C8E9010F2AFA,SHA256=6E5919C370391CDA586ECF4C2BB2E8FEE782C51242B4CF3B2A5A0F1112CCCC73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:09.121{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:09.121{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=D68C5A19358E1CBC980A7C2778252E44,SHA256=A5CF90880A6F9D95E3122D1E64735B8565977DB74CE72C2717C500238B8B8A9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:08.995{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.938{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CFD3D9012DF65D2196CD2D0F6D0D9A,SHA256=D8E3659E2EA5E06F7839C41EB5480979972DD5EAF5B3F99EADA9FB273CBB9EBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.681{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59214-false10.0.1.12-8000- 354300x800000000000000027616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.477{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59213-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.477{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59213-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.468{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59212-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:07.468{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59212-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 10341000x800000000000000011302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.046{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.042{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.040{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.039{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.036{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.033{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.032{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.031{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.030{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.027{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.025{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.023{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.022{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.020{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.015{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.013{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.008{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.002{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:11.970{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EF882F17ACA436B9032BDF83D7178B,SHA256=9B1103DB49096EDC91A40553EFA5A14B86D80F63E1AFFF9AC96FB69359776568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:11.075{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3085F5E56459CA9CEA3420ADD4F1D358,SHA256=BA2A02741812D032086D89C4B3CA5A57D9C619CD16FBABB9930B6D872CE0A66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.169{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49859B578F13C955C6A4A42CB2292A8C,SHA256=228AF66108B52AF1F35490D5B039407F0A1D84BE15E34F364AA2F14F1F496A37,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:10.236{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59215-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:10.236{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59215-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 10341000x800000000000000027625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.701{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.701{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=78658B6A446856051B3A2E71EFA07645,SHA256=0B317E57A721A6BB109CD578E61C0E2203936E7B48F72E11959F26F11FBD6F4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.560{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.560{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.545{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=78658B6A446856051B3A2E71EFA07645,SHA256=0B317E57A721A6BB109CD578E61C0E2203936E7B48F72E11959F26F11FBD6F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:13.264{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33FCD9853A0827E5AAF4C81DF08DFE3,SHA256=831D2D3145D19F7B0E2AFA1D5FCB55AAAFCC93C77AF1DBD7D3B0361AE75229D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:10.644{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49868-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:13.042{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA1A7ACA18DF70C524BF4DE1DBEA59B,SHA256=1D305DBF8C1ABAB33D344AC543163D482758569999EEF46C589B7A97C2AC445D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.047{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59217-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.047{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59217-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.039{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59216-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.039{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59216-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000027630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:14.713{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C268DEC9C4DF79C4068154D32953AD,SHA256=DF01A8B848DA6CCBC4404B5321A92452AD7B887533CC77E281E433B489929898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:14.604{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3F3D75B82D9B790C720605C9A16CDD45,SHA256=A487C971D0BE77023FA88E6542E30DD1F3F1C9E66A448B34F776751E960EF7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:14.352{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CAC864F96D6067A382EF54475AF68E,SHA256=FA3E26B8A50C05D2865E36EBA0ABE7A9D558535179D2CFCA6D11B912BACACCED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:14.132{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B35038FD5716DF04AB4219FAEA7CAA,SHA256=2037F296FE17E1BC6673EB20BDB99C6AACC492F5DF0808F7DE9717257DFF1054,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:12.732{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59218-false10.0.1.12-8000- 23542300x800000000000000027635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:15.447{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717905B58A23704264D09CB0C90B2BD2,SHA256=65426F8D05B82B307C49857F09C6DCA82712EE2C79891EEAF6F2546DAC66A062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:15.218{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A7B98E1BBDDDA00BB61A2186485B99,SHA256=4DDF1C55273F78A0471966CABB2BEC41EB7541D884985E1044E0A114E7735000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:16.542{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E2A4825FFFD408B147C3B4D94CB654,SHA256=5F697EA5477DEDA99807BB256EF08B809C967465BBC7788531A08841F6D4EE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:16.279{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3279E629033E6A7EEB19911CE05953,SHA256=211FD289C8ACE778234506F414CE7C62BAA4BD9A632CB04046234792638CB0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:17.385{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1206A6242132690B7AA173B12DCF055E,SHA256=2A92B87F05A2D20B39927206E34992492C248386B34237A2B1661F6A03ED8CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:17.643{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DE11E8C0C3570F3768BD4EB7AAEEA1,SHA256=6DFDBE497B8838DA41BDFF623FAABB3B56D796BDCEF404424C182394C88AE7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.723{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6074ABB11276A13135781BF5213371F7,SHA256=98719E7D62C3A4DFDCCF17BFBDDB76F560D868AB35EFA9A3161B1FD481B749ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:18.694{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:18.479{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13CF22FCB696AA3568124C78F9B27ADA,SHA256=31871F2C76E89AEEC8A972DCADC8A590259B18BEFFF59D38193C6D25BB44BB25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.161{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.161{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=E5C3BFF0595167BE171D963FF86E205A,SHA256=B84A07A720089EF6F48BD12C5F6547E9C8CF1FBB6D674EC6F12403A0C38A874D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.034{FCCA13C7-30EC-63C5-0B00-00000000AF02}6282324C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.018{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.018{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=E5C3BFF0595167BE171D963FF86E205A,SHA256=B84A07A720089EF6F48BD12C5F6547E9C8CF1FBB6D674EC6F12403A0C38A874D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:16.512{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59220-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:16.512{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59220-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:16.503{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59219-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:16.503{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59219-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000027645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:19.827{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415124556A1FFE1814E24E21D0EF44A0,SHA256=D5195D3DA4106364CA3B63C2E4E4408DF6A666BB5C7598758787461AA754032B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:16.596{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49869-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:19.578{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F37D0D6E472FF1E8FAD2260985C0655,SHA256=4139506BE2196C4CFAEFA703DA601539061EB3146EC6E62FECCE6FADA18F5C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:20.942{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E793DB03AD32000BE50D386EAC7A1D,SHA256=53FB397280CAAE033CD23D14426DBA0BFE12EAF8F2B9B0071A769EF56F4F6A02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:17.077{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49870-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000011315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:20.676{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64FC40B0EBA161152FDC960B383927A,SHA256=A1B6BE34169E2F51395951E96522F76B60D424D25CCD917766A5BD79E1D87E24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:21.980{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:21.980{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:21.743{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A24069A90E8A35BCB1B2A699A4660D5,SHA256=547FD0C79F80C88A38E3AEB6EC2151A12EBBD052BA85F37F5A6B2942D1C73378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:22.813{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17583776AF96079CE6D20160A7DCE602,SHA256=5DF31AAD0A29FCFB77C145302F77430AC32B90190B09DCF34108A09733271E5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.679{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.674{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.350{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.340{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.330{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.326{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.324{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.321{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.281{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.271{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.255{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.241{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.210{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.202{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.186{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.152{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.108{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.105{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000027654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:22.046{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C08BD2FBB145243E9AD29419F70AFF,SHA256=40320DE72BF3F36E4716F1FFC7511881B1AFF4A21C96F993CA2AC8E867F58316,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:18.647{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59221-false10.0.1.12-8000- 23542300x800000000000000011319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:23.884{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9D2B71160451467068AB130E2EE554,SHA256=2F0B3D49189DD6DCB9035BA1326EAF7C659129D598C613D74823C5F1CECBC0C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F3-63C5-4F05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-36F3-63C5-4F05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.547{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F3-63C5-4F05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.548{FCCA13C7-36F3-63C5-4F05-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.085{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245E1B900CF040A040D1986747BF3322,SHA256=DB2FAE570D49745A5CC1B88C04F90D60E2512FC8B886A57D9C51F58267FD6EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:24.959{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61EF3F4A0800D4B180A7132137F70AE,SHA256=E4DA2A030FBAD6B1C2360CA339B567D406A09A0B39F4446FEA0B1963639AAD58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F4-63C5-5105-00000000AF02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36F4-63C5-5105-00000000AF02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F4-63C5-5105-00000000AF02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.856{FCCA13C7-36F4-63C5-5105-00000000AF02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.840{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.840{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.840{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.732{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.731{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.728{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.726{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.724{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.718{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000027703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.495{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7E79668CB70C5DF98B4309FE6229DBCE,SHA256=FE6C135ED8E04CE6DB30B1DE1BA66904CC48D899CC7701A24053FAA4B930426F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.411{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F2D38E4BBB21CC605A35FD666E125737,SHA256=CF0EBDD24E08DC04EC7F3C0393F58D4927EDD1B7E8DEB783023A3620BBB99343,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.361{FCCA13C7-36F4-63C5-5005-00000000AF02}31165428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:20.456{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59222-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 354300x800000000000000027699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:20.456{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59222-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 10341000x800000000000000027698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F4-63C5-5005-00000000AF02}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-36F4-63C5-5005-00000000AF02}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.192{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F4-63C5-5005-00000000AF02}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.193{FCCA13C7-36F4-63C5-5005-00000000AF02}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.176{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD9AE3E3A20F638EF2107273CCBA29C,SHA256=7D1A30CC6568B807973B9EFD184A17CDA9C1A607A23A91E73B063BE3FE2E18F9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000027689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:37:24.018{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6335A056-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML 13241300x800000000000000027688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:37:24.002{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F283BD66-5E50-484D-ADBD-4AC94CBA68D3\Config SourceDWORD (0x00000001) 13241300x800000000000000027687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:37:24.002{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F283BD66-5E50-484D-ADBD-4AC94CBA68D3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_F283BD66-5E50-484D-ADBD-4AC94CBA68D3.XML 10341000x800000000000000027686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.002{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.002{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.737{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.726{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.717{FCCA13C7-36F5-63C5-5205-00000000AF02}37286600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.706{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.703{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.674{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.667{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.667{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.663{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.663{FCCA13C7-30EC-63C5-0B00-00000000AF02}628844C:\Windows\system32\lsass.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.652{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.646{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000027739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.646{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEAD6006BF9EE1708FC7CE73B3D5D1F,SHA256=8B4B2CFD4D4D5E46078A7F12B0233CBDE535A7DF178BF8EAD53000C7D3D5F248,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.645{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F5-63C5-5205-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-36F5-63C5-5205-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.532{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F5-63C5-5205-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.533{FCCA13C7-36F5-63C5-5205-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.255{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.253{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.252{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.249{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.245{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.244{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.243{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:25.242{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 354300x800000000000000011321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:22.567{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49871-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.814{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E559ECA8103E45926E7F36A4345D66,SHA256=DFAD8013845BC0C6782B52B49E9EE50623B354F0C89D2F87D8D80569EB0B9CBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.534{FCCA13C7-36F6-63C5-5305-00000000AF02}70004916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.494{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000027763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.494{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000027762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.494{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 354300x800000000000000027761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.314{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59223-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:23.314{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59223-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 10341000x800000000000000027759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:26.355{FCCA13C7-36F6-63C5-5305-00000000AF02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:26.032{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150EBF1445E09DB469B5FCA1E098D049,SHA256=646B2138E8AECEBD9D150773B9419B6BDF2C801C27D2C0A5F176E40663C610DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.953{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1E09AE89D353E71C5E96A5ACB7220F,SHA256=D980DBEDCA7A74298B13E5EB66568139B456178D708E35FDA013233073F05871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:27.841{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5A344358FF280AE92E7E21DE8BB1A8EA,SHA256=C0642FF4A6C2AED07D682052E1EFD48E86D6FFB5B9524CF224C4A7184C999F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:27.123{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9E646AFDAA996D982892D2380969B4,SHA256=9B069B1A0F6AE8145073EAC7B247EDDDF921B8A871F97920792F2E7EE841FCB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.206{FCCA13C7-36F7-63C5-5405-00000000AF02}67844400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.134{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59224-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.134{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59224-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 10341000x800000000000000027774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F7-63C5-5405-00000000AF02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-36F7-63C5-5405-00000000AF02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F7-63C5-5405-00000000AF02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:27.033{FCCA13C7-36F7-63C5-5405-00000000AF02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:28.199{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2886C4C4778642AFBA828B56EFF825A4,SHA256=B28AD30C7DFF15252A26B8472AB84A7818A8779CB74B262B94D90D68AE157FE7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000027780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:37:28.424{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9299e-0xe9900687) 354300x800000000000000027779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:24.594{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59225-false10.0.1.12-8000- 10341000x800000000000000011338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.994{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.987{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.980{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.970{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.961{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.936{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.931{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.924{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.914{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.908{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.902{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.899{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:29.278{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47AE543BDD9F911D4CA20200CC0B946,SHA256=3635FEF8371B37778776E92B8017B8028C040A4E50FE80DD4B8A8782321F1C8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36F9-63C5-5505-00000000AF02}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BA30C2AF6538AEB36405CEB10B263D,SHA256=A1B975F6EBB56DADE96B2053F312E69DF172E0DEB5443DDB6E9F0BDF31A85C67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-36F9-63C5-5505-00000000AF02}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.052{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36F9-63C5-5505-00000000AF02}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.051{FCCA13C7-36F9-63C5-5505-00000000AF02}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.382{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC75094F21B01A105E649A076E61627,SHA256=0808B68B5ACB544C7241064D70072D1A5EF01FC4A2BB2BEB50A8CECAFC3C2DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:30.160{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6931E84AF4B47A7F3D8882A284F539D,SHA256=633DE7D9F07ECD1F90D451BA64F2E9C79D6BE9C20FCDCF8D085D0BDE10EA2F35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.070{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.068{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.065{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.064{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.061{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.059{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.058{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.057{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.056{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.054{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.053{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.051{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.048{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.041{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.040{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.030{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.023{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.009{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:30.007{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 354300x800000000000000011360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:28.429{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49872-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:31.653{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863C6363B3AC8DC4F693E4DA1EB22DC2,SHA256=77F58B4C61FB2D27C4D7381F8731773D3C389D6A8EFB80F6D928A3D43272F4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:31.252{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDE17E9243CEB168C4BF3CE2334777A,SHA256=AE98F3483C05920BD7C9D4568F9EB20CD2488C8E7CF9B853A5E88DFBC09AFA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:32.737{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C0BC39FC26B84FF241F8C0D322C566,SHA256=F365814D89529BA0E8CA1D326B5A5E0058AF29EAF908789BA0EF245FE8AD7BAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:29.647{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59226-false10.0.1.12-8000- 23542300x800000000000000027792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:32.331{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7674F1E102971631D5A558E986A6BCEA,SHA256=BE6500636E965CC3A025FB2DD9E48AC7563E8EF9B40A70392A6B116F5E8E9DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:33.820{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F9C2F4B83F9BB240A9762513EE6A1C,SHA256=8B8AC7FA663469DA76B0E254F7C79B85025F7865967EEB7B8E42C369F339E15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:33.425{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6A13341D505D87807118D55338AB1E,SHA256=662A0C70881847140834B1B481D1CA4BBDB808EBCD7837BB2D6824BC8E2B3108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:34.899{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526F5AD00BD3DB53D78B70D81C5D8548,SHA256=72DD65C70E04EAD4CB4FA2F32C663547A17C44A2806083663E8859281EFFE8D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:34.517{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD246B68E3688981E8D2136799FD2C5B,SHA256=1F1E854821AD1B11C7EA443D1DFB49B6C58293920975F5DF64B9CE9412A36280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:35.985{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277BCB3419C06A365614CE79EA17B8B5,SHA256=B568E7FA45BB2E8A18038088ED29CA4E4E4C5B91519DDE9E907E77F207DB9FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:35.611{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFE7A03A6353D4056137531C572D2C6,SHA256=62F2B4F0FC03B0B151071FC5F674CC68838916AE3C777FD1D561DD53257A315E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:36.703{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73321B030C9BBDD2010D4772A4749643,SHA256=7A69C88800306BAE67A934B24FB6982A03D3F2724FEF6EB70076429008EB26F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:36.344{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-024MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:37.782{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51235F99D9B72E5B7A7294EAC030E3E6,SHA256=2DEA9A684C06350818E90CF79E715AD2A2CA05763113B59091C3E3DC2B2028AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:37.057{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB6FC08696B2BFEC602FCEB50B23C8E,SHA256=9D32B0B6C8C4FC3160B1762A144152A1554063C0E757AB8A1F616EF84225A8EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:33.587{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49873-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:37.346{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:38.881{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633A6D9146AF191710BE58DF22CFDED3,SHA256=0A9590CDF356FDE2475A0C2BB80B5D0A45625872AFDB431EFD749B73C74C60AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:38.140{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC528F49B04BEE07A5FFABEC9473041,SHA256=B9C5BFA5D3E46D55E44A7540E05083D40979C326A1B94B58E51924289D3FBCE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:35.519{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59227-false10.0.1.12-8000- 23542300x800000000000000027803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:39.983{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F0E5129899D28C3217E6151FB07208,SHA256=769C27F671558D49FBBE917861AB4D4DEDEE23061CEC161D6AFC6D198E004E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:39.236{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E67DBA8672612649F24C1B1BC19ECC,SHA256=66FB25128CED38FA4B549CEF9FBDB539B28B6DC1CE76E6CBACC2BC08007F555D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:40.307{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AA44E2B2788BBF6E8345A1981B00FE,SHA256=0642CD2B15D2FB3C072B98936D97F6986B1E6D95A20E021F9C0B0A31B222BA34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:41.388{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F230C82FBCB24E175ABBC803D45187ED,SHA256=3B24BB7B0208E0D208C1B68367C575BCA06E56616FF8C6C086F52820DEEDF6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:41.097{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C008B47FD8609FE5272D991A041B0D,SHA256=0416794A4D531611081FD7EBBEC1DE6BB250F64BA6D3D086159773B1206D608E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:42.468{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228648ADA5A8C81D005A9420BFC45017,SHA256=15DEE780836E325885F532313D63B11C70292A5381A2A01151E971CFD85E2242,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.625{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.620{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.273{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.267{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.265{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.263{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.261{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.233{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.228{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.215{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.208{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.203{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000027813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.179{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771E1EFEDCFC4B95C3AD33170A55DF9B,SHA256=FE60A48D56EF4E3683B8A03512ED155F46D6BEBC4025B83A33D7BF0E9B42891D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.177{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.159{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.153{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.144{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.137{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.104{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:42.101{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000011374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:43.711{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1E3FF9B21CEFD5640A170A6FFF06DDF6,SHA256=5BB2BAE9231678B2A6D59AD933D0362B754E8F4A31FC573A899742773D1A7822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:43.538{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03675CCF58E5B34182A693EEC082AD4F,SHA256=56688F50987BF323FB459F892AD15DA3D5A3BEA33702B8AA0770BA5BABF0DC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:43.886{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6F6E05C772002D47ABE127F5CC7E421F,SHA256=0E2BA50EA29D877A88272F1F642F528AB5D555F48852828AD8AC42134FFBF895,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:40.574{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59228-false10.0.1.12-8000- 23542300x800000000000000027827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:43.123{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE59B9388ACF9078F4FA3C1FD5EEA67,SHA256=56B4831A0E46EB442CA27895E0CC50F7DE3E8D822DBC987EF71E911CEDA0D3A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:39.596{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49874-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:44.616{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7A259ADBEE523327FADBFDC1D16D0C,SHA256=E57A116F70ADF27B151CF719E087BFA0DE6F0B97B9D8C574E126884F76FD4D4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.677{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.675{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.672{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.670{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.669{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.663{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000027830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:44.218{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F67F24B5BCD8047722E1744DA52D6A,SHA256=C1880B473585AD00C96A5142F4B504FDE8DBE6984526F2063DABF3ABDE2A292B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:45.707{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3DB7290BCCF26C0441BBEB49A94E27,SHA256=3F6D509E40001C4285CFDECD09DA6B03A7345CBFA63408E864571EB155DBAE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.303{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D12FFC9392BED20E816009771E5679F,SHA256=F46B3DD451E27CFD603B3A958DE3539ECC960E20A0EBA211DB2326485FD9433D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.276{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.267{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.252{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.250{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.225{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.218{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.204{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.199{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.197{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.194{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.192{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.191{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.187{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.184{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.179{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000011379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:46.816{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B271B14CE216A14E8B3000CBAE3AD03F,SHA256=C279A80ED275C1BCEBFF326A196CE8F4483F3845FE22DA8027098BAC90E1AF56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:46.717{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:46.279{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DC7A3E611AF5B343ED1152C874AD58,SHA256=EEC8FF7958D30380C670F039163353DEE5F62FB9D168FF757D58570AD4642F59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:46.313{312A7A06-3345-63C5-0D00-00000000B002}7763696C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:46.313{312A7A06-3345-63C5-0D00-00000000B002}7763696C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:47.897{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AFC94FCF9AC6F151F8364C99B3E41D,SHA256=C625B2C16F98D74017F23CB3E5827A7EB2EDAA82785F9C241DF6EB3C173B30CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:47.706{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:47.706{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:47.706{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:47.375{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AE42D8F644999215B9E8B4A10C2A61,SHA256=EE3256CAAB0BEFBBED4D451E4FB88409A2F797AD264B56E6BF04F636A3A81CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:48.996{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FA4173FAE2C3D71DAFBD3CF9334F15,SHA256=69A9C7A565D629D34EC7C028BB8007C2CAEAD24FC621C44F5DA36EB009B323C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:45.706{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59229-false10.0.1.12-8000- 23542300x800000000000000027862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:48.474{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDA91C39396EBD7EC839C0552D78F76,SHA256=26238F29E435BE790F903931EC5CC43E7A3BABC6FB0C60FDC9145E4F5F02747B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:45.534{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49875-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:49.671{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=60A131E5DB1C92CE2F8BF077C5AED69B,SHA256=AA1957FA52978B070FFE928C39171F67887717A5056441BD5B4AA1FF531960F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:49.569{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31ACA72A236CEC274426BF9B6FE5CAB,SHA256=FD7290F75F0D238661433AE15D0D7DCF1182E9AE62795A7FE841D3F37BD5B2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:49.569{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=534DDA57E01275F16FF8B80DF6518716,SHA256=CDB171E63AF651AB9DDA64B0442910BB62B81F87BE4303279DC5DB025CB141FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.988{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.982{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.961{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000011386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.938{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000011385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.925{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000011384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.916{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000011383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:49.914{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000027867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:50.654{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40FB8351CB055453DBAA4BE01C2E6840,SHA256=800FEABA24CF6A064373D41BCDD0E38F33CFBA315394917205591FFD532C1F5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.112{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.099{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.097{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.096{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.093{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.091{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.090{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.089{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.089{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.087{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.086{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.084{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.082{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 23542300x800000000000000011401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.076{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF297B0256666182C924CD65A36123D9,SHA256=78AB3D40429893B73F228D0A48D74D571C04DE15D90F66D679856A2BCC38CEE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.076{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.073{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.068{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.061{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.049{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.048{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.039{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.033{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.024{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.018{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 10341000x800000000000000011390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:50.013{312A7A06-3346-63C5-1D00-00000000B002}19962608C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000124803D0) 23542300x800000000000000027868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:51.734{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1777ED7816479B895D31321D53FECBFA,SHA256=3EC1211B0B3809D57E7203E49163B94B4F9DC2BADB2575E7C820E5E01E9197A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:51.031{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5182362178C481ADB055AE1CFB2AD388,SHA256=4BB3C025A97F7DBDC7104F527590985852450889F9D4935C71453D67A25CEA92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:52.836{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2430A0C413874AB06BF175E01A3892E4,SHA256=08177B32A12373D93219F4409386087E542697D010BF8C43CEAC83BC85826DE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:52.886{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:52.137{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3644BF0D205058C1A8F2A1E5653A33CD,SHA256=04C832566B3A1C14CB1EAE5348864EFD3AF68518C43D671750713A3FD8DD274D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:53.913{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142E127422FC3D2ECD4228D6AE1D879A,SHA256=791BB32A9A52EE14082E5567F5C6C30885570372BB6F7B6D9A060E2A2979613A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:53.191{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55E7ECFC1BC4DB32B3BF9A7E76D02B9,SHA256=C944BF85230725DAE00C509D5456A090DC30D8C06F259DF9EC4C854DC2CDABF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:54.268{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68E23906A85466F42D28143CF8CB679,SHA256=7556C8C22CB6ED9CD22FC7FA672419C9222AC781C8DF560C503DCAAD9D9C139C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:54.559{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FB8179CB9297C32D74E56BAE91A70268,SHA256=7C5CB801AFC037EDC95ADAA286A85CFD6572ABB2A86C57CE851D6C80AE5E34E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:51.552{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49876-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:55.350{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FC9916C1B75C9D46834723E930478B,SHA256=7C311B135CC69CF7B5C39D3F164A0D3B3E20B0FC099D7E92D55186F589A6CA91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:51.622{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59230-false10.0.1.12-8000- 23542300x800000000000000027872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:55.010{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7855D5ABB8EBCAFEC17A6C2694221C3D,SHA256=0F26406B49CE1F4384B5114DC9A66E0C1688FC8F3A966B99CFBFA9B8613580FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.867{312A7A06-3714-63C5-8301-00000000B002}34363876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.757{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=31A0C6D2AC47FC5AD6CB5B585DE747C0,SHA256=5761CD4873ECD943A6756582D31960E9D3DFE1DA3ACF5AB2510D5D914A397B11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3714-63C5-8301-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3714-63C5-8301-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.704{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3714-63C5-8301-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.706{312A7A06-3714-63C5-8301-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.440{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827EF879B3E5336BD7B9E38E9E7E653D,SHA256=13C3283AD9746B33291CC28C5B373FDC2526E68CA0EA9A0A1B4D3429F15EE10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:56.109{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EF796402AABB77BF335DD7C19FA8BA,SHA256=692724F4064209FC2DA9EB1F75EF998C946B21946332EDB18C6A876BA1775124,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3714-63C5-8201-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3714-63C5-8201-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.065{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3714-63C5-8201-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:56.066{312A7A06-3714-63C5-8201-00000000B002}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.674{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAA5322097FCE99FCDCB3532644DDAF,SHA256=6F853F68AA7DD13B6ACE2C35A96F449AD2CE0CD97B11A3475C45B876A5BB7DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:57.398{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:57.210{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733DB3BEA096061247F50C731C59A2A5,SHA256=963BD300FB9EDD5C65D5FA2B07FAB28152C3632AEF9B663F8D5CFF39417A9917,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3715-63C5-8401-00000000B002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3715-63C5-8401-00000000B002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3715-63C5-8401-00000000B002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.390{312A7A06-3715-63C5-8401-00000000B002}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.186{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D93FF5A00C0384E5DBBFD264F136B056,SHA256=483B3E07DD11E531C4314408DC617BFA664F9B329CBAE823179C416C0EC62B53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.948{312A7A06-3716-63C5-8501-00000000B002}32443240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.823{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5D308897FE1C98DB2227C903C092A6,SHA256=2C0375A4A658DC79FCE8DD092DD6AD55AEEAA67B45505B14D788215B831725CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3716-63C5-8501-00000000B002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3716-63C5-8501-00000000B002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.807{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3716-63C5-8501-00000000B002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.808{312A7A06-3716-63C5-8501-00000000B002}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:55.854{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59231-false10.0.1.12-8089- 23542300x800000000000000027877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:58.303{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E32049FEB645C9320FEEB54FFE1A5E4,SHA256=46F39334DAD65751A28C6755C9934CCF895423C30D094699BFCA496476932E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:58.035{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=274B24C9B82BABC2E66896F221EA035C,SHA256=38E52B91319DCF4A895A07850A13A9E1E5AC0FEF42FE9D0541A0A439757B368D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.968{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AFDC535CB3DD593F17C85179F46B3C,SHA256=0B86D849E0F3A24921A739B884B09B77B833CCC4BAF1B19100A243E881DCDD96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.841{312A7A06-3717-63C5-8601-00000000B002}22723964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:59.397{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83649CC1F7742275113223963DB94EFE,SHA256=62458CABEC6FF6135F215DA94DB28A76F047A9923E6115FAED950B9972A4E701,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.749{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.749{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.749{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:59.673{312A7A06-3717-63C5-8601-00000000B002}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.904{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD414FCD87F407C9570E9D7E2C8AEEAA,SHA256=C377B97E22293A6B1F6604873EAE2B72247D3A037421F59DBE25F0C09F32E952,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:57.498{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49877-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:00.484{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC60C7FC8437B911D36F89CDB8D6A358,SHA256=32E958D6A95708184211E88B8C92C3CFD6061C8C4FE0EA552414C42637DD0AB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.456{312A7A06-3718-63C5-8701-00000000B002}224136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3718-63C5-8701-00000000B002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3718-63C5-8701-00000000B002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.308{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3718-63C5-8701-00000000B002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:00.309{312A7A06-3718-63C5-8701-00000000B002}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.979{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E4239B174A428B3D6F98956EEB75C1,SHA256=B22AAE68D72556854B3E3653414B71128F9CE6DCEA23D71B225AC6402B49AC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:01.575{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC8488D6E52119F1AD75D110C4989EC,SHA256=88FA71C18EFFB03BD589D23F16326184FA85D721F3721DB49AB31073BD402572,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3719-63C5-8801-00000000B002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3719-63C5-8801-00000000B002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.435{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3719-63C5-8801-00000000B002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:01.436{312A7A06-3719-63C5-8801-00000000B002}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:57.506{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59232-false10.0.1.12-8000- 10341000x800000000000000027904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.744{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.737{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000027902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.631{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836406FFA423D350EBE1320EA8394872,SHA256=B93F3A5E4D405ECEFACE816DB12FC9B6B49B182CA5D11400C158E083119A4664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:02.588{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFEFB5A575FC7F8A098BF3B289C9084E,SHA256=920D07C85D9D1029DBE2BEE1DA21E8477AA39046F3FF209F6908EF941E4C1FEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.366{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.354{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.342{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.309{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.303{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.289{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.277{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.242{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.233{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.222{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.214{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.201{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.190{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.108{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 10341000x800000000000000027883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.105{FCCA13C7-3392-63C5-AF01-00000000AF02}33766828C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017CE63D0) 23542300x800000000000000027905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:03.714{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7293E5897DD6710311014D93A4A58D76,SHA256=D97892DC24B099703EA7092CBD69212480F71A7A19D6E317430DE520B3A0FF4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:03.049{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4302554315725FDD95D4E12237CECD8C,SHA256=29952CB66D0D3312C0B1F47071AAD678C2632E3954D0F1FF0ED64E1E8CE9AB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.803{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A2D035973D01B2300A8E920B1EC31A,SHA256=DD76E24A95CDA6A7D7A0FC3BAA485F05B2DF28A5FC1504E17A80BAB4F40A9F2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.778{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.777{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.772{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.770{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.769{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.763{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000011532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:04.143{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9A2EBA2DFB4C57C93BDC815095A279,SHA256=971E89031B46EF3A672ECC285F84753A4E72A080DB2BA37050D6A630C4CCC1F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.524{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.524{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.524{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:04.510{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.865{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EE1BF6EF517369933BB4DD630B9CAD,SHA256=6A51EA3374DC65314AB3DFB319BCF27E96B03D68D079E7EE2460D6C259D27A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:05.243{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3500FB952971CCF7C1E07B78F8FAADEA,SHA256=5C3435C92A8366849F471F998C0A7BBBC607C576EFA3876CF71A33062B4B9EA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.414{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.406{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.390{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.388{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.353{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.340{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.323{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.318{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.317{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.314{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.311{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.310{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.305{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.301{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.299{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.297{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.296{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000027917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:05.293{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000027937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:06.953{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BFE43FBDF6FE065D21259AD93A6483,SHA256=09454ED83BFEC789AE3AFF05D9EEED885F5E423E2F23A095B4A12FF3ACDAFC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:06.330{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8376EF9680F72B52D594D0F261671138,SHA256=379A2F9B7151A36DD6545BB7B335490D2F102D77578298BD30B997FCC06646E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:02.577{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59233-false10.0.1.12-8000- 23542300x800000000000000011536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:07.423{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12413BA17695EBBF806AF6726B54411E,SHA256=3E65E9157475F0A5D6A4478EFA9A096978A4A8453FFB58185A1A520F6FA4E45B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:03.404{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49878-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:08.509{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5308A54C2FC70C73F1C509FFC8547FC,SHA256=03EFC598A33AB1AAF01859057F2D6259CC4080B6D821918B1B3FC6EC0BCE4BC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.769{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.769{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=C72A6283B39580EC550F967F1E59D763,SHA256=742889C6B072C88C3FDD5A7965060BCEA4DEFBE8029EF650DFCBB71C4284BBB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.738{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000027941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.628{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.628{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.613{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=C72A6283B39580EC550F967F1E59D763,SHA256=742889C6B072C88C3FDD5A7965060BCEA4DEFBE8029EF650DFCBB71C4284BBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:08.144{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9803CA3A6B144BB5742D3E5A338A65A9,SHA256=E08F4E5FE780E593084482C3385C53040D685E1637B894552CE7C0AEABD65BFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.997{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.988{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.961{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.955{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.948{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.941{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.935{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.925{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.922{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.601{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B0A36B2B727B9B9D5E79CC2BDE6DCA,SHA256=6BD8ED3AEB4D2AE434E7F6BD97E12CD9F5CFA720092E21F6A24DE5E0CA4B5AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:09.779{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E486B619D526A682B0E3FE9FF18A5FF4,SHA256=2DC5370C38DA458865A62BAE0CBEB8A9D9353A2E9ECEC50D60C29D02280570F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:09.748{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B4F6F7AB2858B6A384E7C17862E988C1,SHA256=313213A3F57EA8DBF4498D4D73CBF2AB163A9CA34A7833C604025D2AA22CA45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:09.231{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921D8B74B381A026C08ABB78659345E3,SHA256=42B5A95BC6760CA8E715F6ADAA804C2AABF476534B4BBC1CC47F17F8A4895F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:09.489{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-015MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:10.319{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C5C2F78C4D4CFFD053716DAAEE223F,SHA256=125A32E6242FCC5EA1F456588D768E583C2867AC6B34845D3F9CCDD04C4926F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.212{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59236-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000027953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.212{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59236-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000027952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.110{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59235-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.110{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59235-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.102{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59234-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.102{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59234-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000011571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.488{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.099{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.097{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.095{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.094{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.091{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.083{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.083{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.080{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.080{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.077{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.074{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.070{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.064{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.060{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.052{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.045{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.032{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.031{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.024{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.014{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:10.008{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000027948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:10.037{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CDF34554CF947DF68B97A2A21BE20446,SHA256=34DAD8A9D88FCB3E8B246F3FE6A3F53DAB6351DA62C65B9F04B58DB24C029FBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:08.489{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49879-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:11.117{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD331B01ADF607BF4A6271313A7FC633,SHA256=AB5E9FF257B76F648D496A15FB9AF39425223A4C827925E8F5FB8CE854401DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:11.417{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F536A5348A72FD0F512483B0902BBC7D,SHA256=1A7B63204468125BEA8558C168695ABA4C2F012C89D4448EF88318342D781602,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:07.671{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59237-false10.0.1.12-8000- 23542300x800000000000000027958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:12.383{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85B7D02F7D6FEDA9A42EF4D48660CFF,SHA256=E038D94C22C56629C430E4F4685B4C1C61EB9E65296FF088E1EAE0A445F24D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:12.424{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C435EB470AAEACB659DB9E17E18CCCC,SHA256=0C30F26FBB23AECF0A528135DEE4025C8547E55A3C1962E63DB16AE0E93FFD39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:13.476{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67E804C1A214441A11F756A5210616D,SHA256=F16C8912FB28C155170154C0F6ADE7FD6EAAD10451D47F054F19AFE3BB4F2DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:13.509{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FF5BFA0A6D84C20035CEE9D5962137,SHA256=83DB80857178BAFBCA015FBEB245D1BDDE8818B66CFC9209DC089965FA654129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:14.594{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FFC35FE23D1055979D030CDA62405E,SHA256=8AEC8FFBE0B661CDA3FA6A6954FF87797BD1BB4B4047B64BA64F9F4DB59E028A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:14.560{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB0C4499C7F0AA1B8F7F2CB596C3F7D,SHA256=70C98CA0EECA6B7A6A704B0F3C9C1BD37616FEA16DDFEA3819205903442327AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:10.263{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59238-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:10.263{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59238-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000011577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:15.677{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54AC7E405368F72EB4CA998062A8CD11,SHA256=28A2EC095B8A3307757C92682F793838600C5FEA09A5E060B297012B6BCBC80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:15.641{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6511C9A3771C3EE5D2DDE7BC0CD77987,SHA256=AEC31197A50805E697E876AFD514776FDDC1C671E0B8FB27D4E1A9C89B3B4F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:16.756{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9331D9D26A9C6EB8B913BAB886A85DA,SHA256=B95AF3131D031348D60547C3F756948491B545FF5617DEE83789E4714C6772EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:16.723{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01D378F271D2457FCDCCBD7CB657FD7,SHA256=4823626CC4E27AE241E8D6ACA20827AE54417A7125AE3DFA46779BFC60383258,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:13.545{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59239-false10.0.1.12-8000- 23542300x800000000000000011580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:17.839{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B1D4258AA34BDE57C95A30A587519A,SHA256=F4559DF744ED29D930D41380109AA8B280041BB902C08746B40614E6C5595C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:17.918{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0B4F41A3BC9CC149867F1EF0C57FC0,SHA256=3E911DFF6E160FB3311C5128E6EA8BE656B6047FCA0F92EF151D66DB8740F3E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:13.634{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49880-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:18.927{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE71927BA71EB9D201676BE6BFE82379,SHA256=2F61171671B2F695407800872813E21E02047F638E64E8804293589440B96E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:18.731{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.776{FCCA13C7-30EC-63C5-0B00-00000000AF02}6282324C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.776{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=A45950EC20D2406D9CC88E73F5992761,SHA256=D3B46309F51B6D99C3E09A5954C3D475C9508F7CE7834DE16B6C1B90271DA774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.635{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.619{FCCA13C7-30EC-63C5-0B00-00000000AF02}6282324C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.619{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=A45950EC20D2406D9CC88E73F5992761,SHA256=D3B46309F51B6D99C3E09A5954C3D475C9508F7CE7834DE16B6C1B90271DA774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:19.768{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2492D2AF43CFD29B98488B0A721507CD,SHA256=8BA03D8806CA1313E58CBAD89B3D998DAB0C90AD81FCF3B42ACA27BFFC29F2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:19.658{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=531FC618A70C8B4575787B9648981794,SHA256=DCCF7E44AEB5BC22921051025C75012A13D8D0F627F86DF5487B910AEF153276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:19.011{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3752BF1D86800091686B96C142B56B,SHA256=31996028BDD58103C2F758A12B05700513A732D17B2B1CB4E6FD6406CAF54332,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:17.101{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49881-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000011583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:20.005{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A25EB4CC7BC384F2DB43BF944A32F4,SHA256=142A25C0B31ECD9B18DBEE5EC34DA2EB4B41FEC00D94A5A0DAEB7BEB1272F294,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:17.109{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59241-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:17.109{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59241-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:17.100{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59240-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:17.100{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59240-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000027975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:20.097{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA3ADB04CD18DAF0832A348CDF29359,SHA256=F0DE439A8EA998004553F0FEAA866334CDEFD5683E7DAC3499A1807C701246C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:21.073{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6629D6E290E302BDC6D2F6931352AABF,SHA256=EA36C0F2F4A38C2B6D6B0215B4256ABAE63790524E9BE3E18D5A2D2A1FF87286,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:18.614{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59242-false10.0.1.12-8000- 23542300x800000000000000027980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:21.195{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7F11BF7BBF2371F9C923115CF2466B,SHA256=EF18BCD2A8DDFDEA8DA0D662BB5CC1C8C47288C5319C5FECA26C10A02A23018D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:22.141{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3C0ACD48B44F474AF0FC8AAA464196,SHA256=DA7BD176F02E4AA1B80D9A714AD78D60134E98303F46D6546C679ACE5765CD43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.761{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.753{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.331{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.320{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.313{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.310{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.308{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.306{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.274{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000027993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.264{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2168888F322940AD0D00832B210DDF9,SHA256=D96E20AF766A7800C7577E1A9CFCF1D74826CE7DBFACA0FC969100148CB59997,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.253{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.211{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.203{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.188{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.171{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.116{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000027982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:22.111{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000011588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:23.211{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54DD00A2B3D2F4CB4E0EAD29BBA17BEE,SHA256=40F791C34566ED582EC0ECF4E65DC38E470E6EC5D1A4361FD4DF4A43E5D75776,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.705{FCCA13C7-372F-63C5-5605-00000000AF02}21163320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-372F-63C5-5605-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-372F-63C5-5605-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.565{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-372F-63C5-5605-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.566{FCCA13C7-372F-63C5-5605-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:23.323{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3ABE64940148733CE47E9E1089AF1AF,SHA256=FEDA4986AB92454243CFA0894EC7BD0F5981A99295DDE42307BA0AD0F5F93294,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:19.587{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49882-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:24.300{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B421F19A2DCC8C5FFB336B90CA865B,SHA256=C93F807E12E48A6E13E1B227774322674F67E1A0A9FE3C8D1C14CCAA4281A4E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3730-63C5-5805-00000000AF02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3730-63C5-5805-00000000AF02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.860{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3730-63C5-5805-00000000AF02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.861{FCCA13C7-3730-63C5-5805-00000000AF02}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.814{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.813{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.810{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.808{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.807{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.802{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000028023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.724{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=02386287A383DFE39B755832F63C1247,SHA256=3CBE469E7D0C53AD55BC7B058CBAE7F47785C860B70C38351F4CD5E9A2647744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.395{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAE303FBE17B0A04F870CE0EDDDCB0B,SHA256=3F91E86605714927E4BAB8BAEDA5003A387BF960FDE9DF349E6C73160FE820CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3730-63C5-5705-00000000AF02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3730-63C5-5705-00000000AF02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.193{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3730-63C5-5705-00000000AF02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.194{FCCA13C7-3730-63C5-5705-00000000AF02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:25.406{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F16029A32E484997FA12A030752EE9,SHA256=E7C06425836B9763B8341074702F5E511C5978339D685AF19B1DE3AF0363E6C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.869{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.728{FCCA13C7-3731-63C5-5905-00000000AF02}69803204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.635{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AF6BECA11F399A1A78FF229E611203,SHA256=024A63C01D0E848C5446094F61E1459095A2681989ECBF9FBF2460A43C36E696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3731-63C5-5905-00000000AF02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3731-63C5-5905-00000000AF02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.538{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3731-63C5-5905-00000000AF02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.539{FCCA13C7-3731-63C5-5905-00000000AF02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.406{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.399{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.387{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.385{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.365{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.358{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000028050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.349{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5CE543EE9F4909098465A66A418676F8,SHA256=61BF2961746B1F8C7EA11294C5368B9357EE6093851698421D6BC1EA6118EE51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.342{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.336{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.335{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.332{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.330{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.329{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.328{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:25.326{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000011591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:26.502{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7946B2A82769E2726396BCA0F3F376,SHA256=2441E8E0A0754F0BDC947FE15ADA806DBBEBFAA4EA3A5D7A28158B481C7ECA28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.532{FCCA13C7-3732-63C5-5A05-00000000AF02}43047100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.453{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5471B326A9B34F9D0F3A8A88DBF06A89,SHA256=ED6B63AD6685DE25218702D649FB695FE0E638FD12B134430068C6B3FFC30263,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.374{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3732-63C5-5A05-00000000AF02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.372{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.372{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.371{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3732-63C5-5A05-00000000AF02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.371{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3732-63C5-5A05-00000000AF02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:26.370{FCCA13C7-3732-63C5-5A05-00000000AF02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:27.605{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0735E162D16695E87A34D9CF1A727F,SHA256=E1A849F924CD08A2DFDAB2DD52B494BEDAB3F3FEF098E946153DC58A2BF9ACD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:24.619{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59243-false10.0.1.12-8000- 23542300x800000000000000028087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.535{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC07B0EC5281A17831665A25DA50E371,SHA256=118425B8F630F9974B08F322E848BFC6C96CE4F64A2F45D45B7E1EBD15769743,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.192{FCCA13C7-3733-63C5-5B05-00000000AF02}10447024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3733-63C5-5B05-00000000AF02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-3733-63C5-5B05-00000000AF02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.035{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3733-63C5-5B05-00000000AF02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:27.036{FCCA13C7-3733-63C5-5B05-00000000AF02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:28.710{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB77B74D942A453BB572732BF1307F0,SHA256=682ED8222C8314AEBC817D09A2A82512C8B5C56470646CB37640EE024FA03347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:28.307{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DE068B754E7CB1542B8C41404E850F26,SHA256=9318F3D93B829DA1D9DEEBB52B2FD087A9194836EE3077AB288C59FB0B537829,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:25.423{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49883-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000028118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.415{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.415{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.415{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.409{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.409{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.409{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.241{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.241{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.241{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.241{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.241{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12845724C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-30EE-63C5-1600-00000000AF02}12921508C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.210{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.131{FCCA13C7-3734-63C5-5D05-00000000AF02}60766636C:\Windows\system32\conhost.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-3383-63C5-8701-00000000AF02}33724520C:\Windows\system32\csrss.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-3383-63C5-8701-00000000AF02}33723484C:\Windows\system32\csrss.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.116{FCCA13C7-3387-63C5-9D01-00000000AF02}12844688C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+5a0e3|C:\Windows\System32\SHELL32.dll+59fab|C:\Windows\System32\SHELL32.dll+598c7|C:\Windows\System32\SHELL32.dll+5958c|C:\Windows\System32\SHELL32.dll+125a17|C:\Windows\System32\SHELL32.dll+125975 154100x800000000000000028089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:28.115{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 10341000x800000000000000011603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.956{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.947{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.938{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.930{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.919{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.910{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.907{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 23542300x800000000000000011596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:29.805{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6434CDD5A47C1F66FFF126B9AEF743,SHA256=7FABF58BEFDD2803CCFCDF805AB954F62C73BE4B951A116BEFB1FD69CBB4F064,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.828{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.828{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.828{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3735-63C5-5E05-00000000AF02}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-3735-63C5-5E05-00000000AF02}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3735-63C5-5E05-00000000AF02}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.059{FCCA13C7-3735-63C5-5E05-00000000AF02}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:29.058{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E69F7F1F42A9F10BBADE6D98612D2A,SHA256=2AD382E5D00DFA316A8478930236B426F484256AFF2693946D733731A192CA21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.117{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.113{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.111{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.109{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.104{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.102{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.099{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.098{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.096{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.093{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.090{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.088{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.084{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.074{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.072{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.067{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.060{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.045{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.043{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.035{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.029{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.022{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.009{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000011604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.002{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000028134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:30.866{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:30.866{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:30.866{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 23542300x800000000000000028131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:30.156{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF642D8AB651EBA2581D642CAEF209AB,SHA256=9F17961A528372317EF9AE04B556E9907EC46AFE38E035A42DE5AAE33B6816FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:31.341{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3CD6BEE915DF5CC7BAFB5A30DE40C2,SHA256=8974B5876B8E7479DC6862496AABE56492B2E56349C7A1BC6ECED3E6988E0B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:31.240{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7608BE28242E743C2D4D58BB2C40D13B,SHA256=2DF29743ADFB17933B2FC822DEB9F88179E5A0D74BA56FD9ADB103C6A0F59305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:32.396{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F856E85663038790590B325C200414EC,SHA256=02F389A34615425251A45500BF1A415E552861C792503E5FC11DAF0C3F4AC89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:32.319{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FFDEDE1B49CDB85AFA5DE3CE10E386,SHA256=0D8AA756531A22CB34EF6C52772FA0D5600E0DB2A2D12D0FE8597CAE7D58A19B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:33.464{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA8281175A9BA10A1B33A22790B6A6E,SHA256=5CF4200ABD068C25C6D53370CAFF568F4EAB8055BA1A047440AD13687975B0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:33.410{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1ADE3A7FE15810C7D1B7B6B52636389,SHA256=539FF4AAB325C29E258C3298C15FE8174341544B9AD2FE162BF092ADF1508454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:34.537{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD30FA349BE1C23A5C915450C0212D75,SHA256=6B89DB9FAF8F5CF552C3A93678BB26D2BD3F700BEF25B9ED68C8635F811C970D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.948{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.948{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.948{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.948{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.954{FCCA13C7-373A-63C5-5F05-00000000AF02}5528C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc" /update C:\Users\Administrator\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x800000000000000028154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.948{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.933{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.901{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.870{FCCA13C7-30EE-63C5-1600-00000000AF02}12921508C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.870{FCCA13C7-30EE-63C5-1600-00000000AF02}12921332C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:34.510{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0330C29F972D9974065603D8E0D891C,SHA256=206BB8634A9E3C197E6AC4626919E1B43558792D2DFFA73817EAB263DC642728,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:30.519{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49884-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000028148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:30.578{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59244-false10.0.1.12-8000- 13241300x800000000000000028147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000028146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018a582) 13241300x800000000000000028145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92996-0xae8081fc) 13241300x800000000000000028144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0x1044e9fc) 13241300x800000000000000028143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a7-0x720951fc) 13241300x800000000000000028142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000028141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018a582) 13241300x800000000000000028140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92996-0xae8081fc) 13241300x800000000000000028139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0x1044e9fc) 13241300x800000000000000028138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:34.041{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a7-0x720951fc) 23542300x800000000000000011633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:35.623{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638A38B008C13F02BA739EFFD867B1FC,SHA256=E89AEA5A7D2EE943A19D4DC90475A5BB3291F58474FCE91643C3F7F017F6987E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.990{FCCA13C7-30ED-63C5-0D00-00000000AF02}9083964C:\Windows\system32\svchost.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.990{FCCA13C7-30ED-63C5-0D00-00000000AF02}9083964C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000028169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:35.833{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9299f-0x11bde610) 23542300x800000000000000028168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.639{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.638{FCCA13C7-373A-63C5-5F05-00000000AF02}5528ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.626{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.624{FCCA13C7-373A-63C5-5F05-00000000AF02}5528ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.606{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.605{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEAC5F749468F35A85E1D5877054C4A,SHA256=0BB071AA405E5C13025EAA734F8F486F29E0E2FA7A4D5627BA25218EAB90B5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.601{FCCA13C7-373A-63C5-5F05-00000000AF02}5528ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.230{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:35.230{FCCA13C7-373A-63C5-5F05-00000000AF02}5528ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:36.703{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A0869827C0EF073B872A384BD94E34,SHA256=5F7AD5C44D71BB51D52289877957CCC1078A6BBA4C9BA67A37F0BBBE4D78B2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:36.692{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988FE20885E357330CDC3409B911B913,SHA256=2618E2A4348F009F2AE4CAB0A65A1F9AE307F27C6258D93A7E1CAD575ECD3C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:36.368{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=306370AE9F68A388387C5E265696E8F0,SHA256=CB2736BADFA1F2E9832825D08AF0783F337E20A1BE54949E19313FFEC6075CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:37.796{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F327B44E5481ACC156FBDB06BEAAC298,SHA256=A05F8486231F3293090FD6E4C5DD5982241069503861FFBEB8C2A9AD89EDE4B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.883{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-025MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.770{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661B1E5C1E367334EDC612283A2863A2,SHA256=912F6017B1873D37C7C58C245508545E904AECA1491171AC6670D45B31E469C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.661{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.661{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.661{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.645{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.645{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.645{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:37.645{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:38.870{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245116C4117C45B2B39E6F097E115A57,SHA256=3C24D0BE4778494777BD48D2551258152A6403D53B6092072AD7F0E902C8127A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:38.887{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:38.870{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCD7B681D990879AF722C689D441CBF,SHA256=2170233F02D9DB4C1297CE348C152D0A640EB69559357BB068A483893D23BF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:39.947{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFB5D06B604744A0C87B459802812DB,SHA256=BDBAD065E28317248917B1FD7B547A1BB806AE3117A8EAAC491060741BD1AA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:39.967{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0ADC7D01AD52D0483E37B1FB6684E3,SHA256=1EE0FBE1B1BEC577749C5392ADCCD61EAFE40BEF9BF462C57B3C03F238B49114,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:36.465{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49885-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000028190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000028189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000028188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000028187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d9299f-0x13ed23df) 13241300x800000000000000028186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000028185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:39.498{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 354300x800000000000000028192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:36.505{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59245-false10.0.1.12-8000- 23542300x800000000000000028193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:41.053{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63851777D31926710031B288614DAD07,SHA256=20681E2E7F3F1E9543A2114E1A605F4D093F81C380F401EE1D2609A16D000725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:41.051{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10802E02C49AC18C210D815546E4830,SHA256=87720A3D1F2F7573E1F36BEF42631BA6574BFB50E66CE0214A565D476CD3730B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.827{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.826{FCCA13C7-3742-63C5-6005-00000000AF02}6952ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.805{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.800{FCCA13C7-3742-63C5-6005-00000000AF02}6952ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.788{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.787{FCCA13C7-3742-63C5-6005-00000000AF02}6952ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.625{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.619{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000028221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.562{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.560{FCCA13C7-3742-63C5-6005-00000000AF02}6952ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.320{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.319{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.319{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.319{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.318{FCCA13C7-3742-63C5-6005-00000000AF02}6952C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc" /forceC:\Users\Administrator\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x800000000000000028214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.309{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.271{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.264{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.262{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.258{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.234{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.228{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.210{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.206{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.160{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.146{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000028197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.142{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DEF05656DB6B558A364AEC0E2E75F1,SHA256=F08CAF6600EFDC2562395D2B235BBC85D57285B19EB5FFCE321D22398DCC0319,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.105{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000028194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:42.103{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000011640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:42.129{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39ACCAE8C4853BB92EC3B0DAAB268890,SHA256=A4ECDB95177A7A84A95C24D44F909DDB8993CD3476701982415220D050EE4882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:43.899{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F2E8DAB971D0329B811B554307D8F752,SHA256=C9AA8006AC744E1E20B048CC1550E4F27527AE52CA3A8E67695EC54617FA10D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:43.622{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5233D0C11AD1B211418C7D435170AED,SHA256=44135E851FB5847F643775132F149CFC5C600C133EEE2FDD41411AA5562FF95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:43.481{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF338C7A6083F7E90758B5FBA84F0B8,SHA256=8E822D7825305ECC8786EF4BFC6A134D59DB008FC8127012B26046BADB70B751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:43.719{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6E15D2FE929998E77B6B1C803C03C529,SHA256=0628F24E2EA59CE0B843C07C8DEFBB01B69854944232C25F593463F084F2FD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:43.206{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF567E3F54814F6D340B5A8B5D39DB9,SHA256=51AAB2AEF63FACACBD60B72C1B964C6B7B1E9FD592DCFF2BDE0940A5A463B3E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.675{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.673{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.670{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.668{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.666{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.659{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000028240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.612{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85D8031F6CAB1AF20B0EDA48DAACDF4,SHA256=77066243979A7601F0CA1FA3953522ED417A01D94E98E894A9F182242D07EC5D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000011654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000011653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000fa436) 13241300x800000000000000011652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92996-0xb50855be) 13241300x800000000000000011651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0x16ccbdbe) 13241300x800000000000000011650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a7-0x789125be) 13241300x800000000000000011649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000011648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000fa436) 13241300x800000000000000011647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92996-0xb50855be) 13241300x800000000000000011646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9299f-0x16ccbdbe) 13241300x800000000000000011645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:38:44.957{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d929a7-0x789125be) 354300x800000000000000011644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:41.546{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49886-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:44.295{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B24FA5B9A17AF72FABD327562C74F2,SHA256=6D9C227E49F76EE340650B3CB373791ABA876BD97BDBFF66BDD7D8906A0EE6CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846000C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:44.372{FCCA13C7-3387-63C5-9D01-00000000AF02}12846132C:\Windows\Explorer.EXE{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.786{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D79166572D7319749DDD80585C8FCC6,SHA256=57E7952DA2B301F3F5911884E5CF54969F2258C1119AAB3BC803154C1A3FDFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:45.406{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE49F9ACA8018CD9C363A599012D7BD,SHA256=2E0314805E10BBBCC31108A9FC9429987D81C047360986A336D2602E00ED303D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.295{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.269{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 354300x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:41.624{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59246-false10.0.1.12-8000- 10341000x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.262{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.245{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.222{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.202{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.197{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.193{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.191{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.190{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.186{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000028247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:45.179{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:46.796{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632AC0E35D976C267A8370607C91A0FD,SHA256=C9DCE9E255D1FDC10CF4E45A90FD2032207807D76876140157457C46FC3AC8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:46.505{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9F0D329B43ED07F4D931288692D04F,SHA256=A49DE66163569873204DA1083EDA230E8CE880BCB1327FAF6CE6F31296B2AAE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:47.888{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0FAB1AD30C894BA9EC22D18B5E0B9B,SHA256=448A1F19897630B2DD702FD8D3A71D9506B13B6EE200551A932A109EFD72A1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:47.594{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695D9A930754F023B540002DBC6D5BA7,SHA256=6347088A11B7830C03D49D6A922F00FF1E79667430F30DE1F6E568F3B7F2B8A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:47.185{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:47.185{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:47.185{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.979{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001199C61AF9B83FAD7DE094E875E34D,SHA256=6293C5337FF5A2F77C6145F1E234C34566B5DBC5C8CB9A93E3ABD1B5E36FC60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:48.676{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D430BE3B7FAD98B3FBF3A0DE687C88B,SHA256=786D8A7B7641B87A6074FD3287E82A85ACDC929AB0CDD1AF1C377FB1A791E028,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.996{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.975{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.966{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.953{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.945{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.939{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:49.766{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2453BDB65105AA960B58582EABE93FD9,SHA256=51FB9A0205F70F4A82DB89E299B63380A6CA6C0DAAA137EC40E34D765D045069,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.978{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.947{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=F443C7B00E42C58336E9113C4B92A1EA,SHA256=01406B7BD612A8321213382482E44EA2C7B5467B57E17E9C135EAB2A8221FAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.947{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=26FFB2926F32F78EAEF80D8A870A88C6,SHA256=BA4E44773C9233D16C9950097A1D1FEF3AB2E8376120959E529DC97EF1871D7C,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-ConnectPipe2023-01-16 11:38:49.947{FCCA13C7-30EE-63C5-1600-00000000AF02}1292\scerpcC:\Windows\system32\svchost.exe 23542300x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.947{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00001.infMD5=DBBF697C05F302D06DD05403297DB608,SHA256=632CAD193E30E450B7753E6D16643B576DFABAA1FA60E8D29DA7665946810599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.947{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00000.domMD5=338F5A9E4E606FC803055C8314E3F366,SHA256=DD15D6AD575AD10CBA979783EE68DC6A5A21ECDABDB4E0678F83870931BBD317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.916{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\tempntuser.polMD5=74ED163F3DBD037DE7C0B8FFA0C38E3B,SHA256=987BD290A6DFD0F530BE33C02A1316320E389385B131C1BBA63210947A2A8E15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.885{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.830{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.830{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.830{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.826{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.826{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.826{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.779{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.779{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-3734-63C5-5D05-00000000AF02}60766636C:\Windows\system32\conhost.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-3383-63C5-8701-00000000AF02}33725032C:\Windows\system32\csrss.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.748{FCCA13C7-3734-63C5-5C05-00000000AF02}43646272C:\Windows\system32\cmd.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.757{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\System32\gpupdate.exe10.0.14393.3986 (rs1_release.201002-1707)Microsoft® Group Policy Update UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationGPUpdate.exegpupdate /forceC:\Users\Administrator\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=2A360690356FCE21B7F18F4DB3CB8BF2,SHA256=AE6E09BD8130D3488FEE07248EFB58B08EB64B3C8F2FE64DD56A196BA82A299B,IMPHASH=B850A25F38035110A9276C6D7150694A{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 354300x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.262{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59251-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.262{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59251-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.255{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59250-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.255{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59250-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.247{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59249-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local49666- 354300x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.247{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59249-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local49666- 354300x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.246{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59248-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 354300x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.246{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59248-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local135epmap 23542300x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.833{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19E7F72FE3D9B26CFDE5FC1C6AF231FE,SHA256=7A0D7BFAE182DB15A54686835A939859F9F2D177B8B0131FE0A599ACBED03432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.820{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5294A0AB6C4642F0144F9C44FF705503,SHA256=4251D1D5A5427D699D9ACA8BD6EA410DA9A4CCC83271EC8EA46C729470969722,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.780{FCCA13C7-374A-63C5-6205-00000000AF02}7056C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 13241300x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.763{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000de5) 10341000x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.511{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848892C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-0C00-00000000AF02}848892C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.511{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 23542300x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.495{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D933CA44F6627D52757DAF005764367B,SHA256=B67D10E26C150440B36DAFE9E638E82ED79286FF4B5585F3C4DD211931ADCD97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.464{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.464{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.417{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=0AEDEF3F98A680A334ED235D4D1148B0,SHA256=21B8564D402A5C1BB2DD31C7C15AA4CB8860CAA56C02C320B823B0EA916885E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.401{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:47.545{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59247-false10.0.1.12-8000- 10341000x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrityDWORD (0x00000001) 13241300x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorsealDWORD (0x00000001) 13241300x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\requiresecuritysignatureDWORD (0x00000001) 13241300x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-SetValue2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\enablesecuritysignatureDWORD (0x00000001) 13241300x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.localT1101SetValue2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 10341000x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.370{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.354{FCCA13C7-30EC-63C5-0B00-00000000AF02}628756C:\Windows\system32\lsass.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:50.073{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D72506D47C8E69F530EC91DF476D0A,SHA256=78D9E7893A325E350DF161737ABF38F46DE9AD343AD1F7BB9E91BEF9579C7A0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.154{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.153{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.151{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.150{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.146{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.144{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.143{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.138{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.138{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.135{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.134{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.132{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.127{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.117{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.115{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.110{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.103{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.089{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.087{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.079{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.071{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.063{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.042{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.037{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:50.002{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 354300x800000000000000011695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:47.476{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49887-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:51.014{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E04352D02161C973B4C8FB3472C7FE3,SHA256=7BBF3E080E207AAF9FDC26133AD67688E7121C8022E27A14D05F54696D3DDAC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.266{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59256-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.266{00000000-0000-0000-0000-000000000000}7056<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59256-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.237{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59255-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 10341000x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:51.777{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:51.777{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 10341000x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:51.777{FCCA13C7-3392-63C5-AF01-00000000AF02}33766108C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3749-63C5-6105-00000000AF02}6560C:\Windows\system32\gpupdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839150) 354300x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.893{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59254-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.893{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59254-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.887{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59253-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.887{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59253-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.359{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59252-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:48.359{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local59252-truefe80:0:0:0:5d46:b69e:195c:9972win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 23542300x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:51.386{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B4D4BFC88DAC8BAF6E253708A2FC5D,SHA256=F2E0D591F198008DB652D5328FF5BE2F14E41AC8CE8A831B79398886F0AFBABD,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.252{00000000-0000-0000-0000-000000000000}7056win-dc-ctus-attack-range-221.attackrange.local0fe80::5d46:b69e:195c:9972;::ffff:10.0.1.14;<unknown process> 354300x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.292{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59257-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.292{00000000-0000-0000-0000-000000000000}7056<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59257-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:49.237{00000000-0000-0000-0000-000000000000}7056<unknown process>-tcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59255-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:52.454{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9A494C00A78B76FAE74BE16EDF783C,SHA256=FCD0DA39ACEDC50FD4FA461ECADA282A2AF636E1CE53BE70BD1D7D7F29BFCCEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.906{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.906{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.906{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.893{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.112{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F05FD783D2F295AB7F9400320867A36,SHA256=6CC1B4B18DF00AA504D78D25D5BA380B3F9F39EBC9939B59F432E286FEC82122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:53.556{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6C0C3CA391866CBC058950AC45A001,SHA256=3426BDFBF44BBB9DCB5179E8DCAA565B546BD5235C7A22516A375EE17608DC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:53.183{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516A428B3AA6A9087A0511DDFFC0CDD4,SHA256=9B7CDB084AC582D232B05F219838BE376EC8B963896AEDA2AC908BC472139E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:54.824{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8541761536A7FA436BCBA987596C7CCA,SHA256=CBEBAC05986E0FAFE6E60971E8D5374AA7184ED92CD6486F5646E7916CD92774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:54.652{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952839625F5EA815FFB85F8E2A9B4EF7,SHA256=9AB6E40162C6CACE0F682D9C63A44FAF93259475B0365A2D67C931A77A690179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:54.274{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE162D93479B487C928E617B3BF0AAF,SHA256=D363991EBD56CEBE3ADD0C4A2A247D593C6B065C7CB9BCA11FC0102A1358B408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:55.740{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DEFB0E7B6BD665364E2FC2FF553358,SHA256=C52653E5B116DA7371FF7409D08B5FCA78BAF55780A92E4A4C2DD3AA3B5447F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:52.487{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49888-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:55.358{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368F7AE0C27C52DA5A4D1CE11819107E,SHA256=7B7CDBB14B7AA13305A9D5F9E4889BC527E9657B121033845EEA3BEB35B91650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.825{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA45687B396714C12FBE484E56AE655,SHA256=A01AA6C808F7A7A9ED94427B89062D496C6EC3C724E796DDE4A89C784AA9099F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.788{312A7A06-3750-63C5-8A01-00000000B002}38083472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3750-63C5-8A01-00000000B002}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3750-63C5-8A01-00000000B002}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.616{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3750-63C5-8A01-00000000B002}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.618{312A7A06-3750-63C5-8A01-00000000B002}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.428{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBB227443F330C2EA5D6197FCD06BC5,SHA256=709546DD7FE97F68FC1F7F3A4DDADBA7363FAE2004AA97023B1AFFF8C536A5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:53.514{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59258-false10.0.1.12-8000- 10341000x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.083{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.083{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.083{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.082{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.078{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.078{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.078{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.078{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.075{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:56.074{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 23542300x800000000000000011721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.319{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3A17C3680B2D31C9604088CC05983C24,SHA256=9D4DEDE83A1F01A3BAEA8C1971F61601E17AECCAD97C6DD12DA170E119AC3A53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.222{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.222{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.222{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.089{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:56.090{312A7A06-3750-63C5-8901-00000000B002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:57.923{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454659D7237A8104F7C831E7085B361B,SHA256=88B7D21B54DBEC75B4384B419291BD9532CDDBDBF35B5F83BFAD1E958F59F671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.740{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495E1FC71E16023702D3509AC43D956D,SHA256=58A588CB49F581D20F4CFB20117692995D23D4836FC05FB07B3EF525E725485B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:57.423{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3751-63C5-8B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3751-63C5-8B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.287{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3751-63C5-8B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.288{312A7A06-3751-63C5-8B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.266{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D36B42F09143DA82F0A53C60E797BEE,SHA256=3DC34FBCDEE50C676695EBC9E5EFB6A1CF4A60D825B151F5DA480A6D7E10C31E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.979{312A7A06-3752-63C5-8C01-00000000B002}5043192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:55.879{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59259-false10.0.1.12-8089- 10341000x800000000000000011765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3752-63C5-8C01-00000000B002}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3752-63C5-8C01-00000000B002}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.823{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3752-63C5-8C01-00000000B002}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.824{312A7A06-3752-63C5-8C01-00000000B002}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:58.557{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BB5B26BE1A838ABB86E74ABC05E1E8C5,SHA256=A78B61814CB8E0D04B391E15CBAE94C0A4AA531674E90EC2D0809913F28239AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:59.011{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C05CC28F1EE87F72BCD89B0BCE5332,SHA256=FE698D39A393026D0A62929B285859F1EDCDB1F87A951EFBDBCE01C9F2F57D0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.838{312A7A06-3753-63C5-8D01-00000000B002}40882296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3753-63C5-8D01-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3753-63C5-8D01-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.676{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3753-63C5-8D01-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.677{312A7A06-3753-63C5-8D01-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:59.010{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA66B2BCD965D9BCF08D9A93EAAE271,SHA256=9EE8EE5AD514FA0F54FC90510A90A84C161DCEB6A4C7F7C2F6F9AB0315759311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:00.100{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD93B3E44DAC2755F2CBEE75742015F,SHA256=2BFA4D4B9BF2DCD21DD18181BBD203E52D0E17D72AC5B91585EE9BF1818855DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:38:57.631{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49889-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000011802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.407{312A7A06-3754-63C5-8E01-00000000B002}31883100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.326{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.230{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.232{312A7A06-3754-63C5-8E01-00000000B002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:00.067{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3B74707C4279626A3A9D9569A05DCB,SHA256=A19F6C7F95DD49D5349941DDA1523426985A978E9C091B888081F15769BFFB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:01.185{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A124B39AD349A85BCCDB0EAA2B0022F4,SHA256=7D75AD2D24E999AA7282B0B44559F8DF1A5E020067D51325EA90CC79E817795E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.508{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.508{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.508{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.318{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.320{312A7A06-3755-63C5-8F01-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:01.157{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AE1F1659753571C0BC66A5F497C87A,SHA256=8D06E6CC92935CE94278A5DB7177B2EC59D9FDB8B4779FC09BC94E7E779A9241,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:38:59.525{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59260-false10.0.1.12-8000- 10341000x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.609{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.605{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.279{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.262{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.258{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.257{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9C7AC5D153A7C7971AD69D86DF74C0,SHA256=E088692CFFD6DBA2D46D7965AD4656CB4B777CD21A2C6E7253248E7AB441010E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.256{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.230{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.225{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.213{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.207{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.202{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:02.441{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=708C27C6EC4C31FAA2E6671D3AD4F6FB,SHA256=0ABB44BDBBE8D283D89AA4D97ABE592FCDFA04B85C6C428F98D9ED9EB91E9770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:02.222{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4699C0929A983BB6F521DD37947A045E,SHA256=B97F716BF11131D9091D8B26943D19B301BEAFAF9820BA8E29F9CDBD85AE8D61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.174{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.166{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.156{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.150{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.141{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.133{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.110{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:02.105{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:03.293{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9A44CFF5611B9E5DABFB3211B5110F,SHA256=5B666AEA877C7557B1DF5D1C12D3063888AF8459937FCB979C68273FC4B341A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:03.317{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C876120013A63BE4BB6E32DB422A14,SHA256=DDCF0D0EAA2D7EE4D440EFE918158294C28FB03C985A0872EA5BE05A9B099BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:04.387{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D47C754E0C1EDD35E28D3AAE171E2C,SHA256=C7933986E310C7677E3A0F90D657FF1E9C4638D48335FA9AA28210540AFECF41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.647{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.646{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.643{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.640{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.639{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.634{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.510{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.411{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3309531BFFA0C8BDB8474B74101F80,SHA256=B0A56F6E6F2F70525613D2FF05D3CF0695C80766A6A9F467381D68600232C519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:05.471{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76B23CA7843C6602F88C527775D5303,SHA256=6ACA4D02BF6E40BE36C0DE70760854A006A0A5AAED5E92CD8C314EEE55F1D03E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.520{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EBD5946EF954C052898074D0757AC,SHA256=CA8D98FFD047FF715AC13E26EBC179B75598D01FBB256C5465F6C885B53D811C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.293{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.273{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.263{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.250{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.213{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.199{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.187{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.182{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.178{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.175{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.172{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.168{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.167{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.166{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:05.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:06.558{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8F1582B2F8CE59E518874D1AF5B7CE,SHA256=0507431329DE7B792C462F3FFABE2DFF0DAC73A8DA3FE55E0C76054D30B4FCD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:06.553{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6EA3A3736B8928639072141AE5D24F,SHA256=77C637A30FC03AAF6A5B0838AF754B774448C92FF15DC584D002DA37B987B3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:07.653{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1D720A12E7890C876A82BA5C8E10B2,SHA256=10A76A38077BD1F93CB1887DF2B3EABC5246541EFBC3732195F5E6A228CE62FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:07.648{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2292EF88C600C74E6C987D8C123FA2B,SHA256=138EE0409F62D0637CA7497C5B3A33B73C32439586352486A1A289F7F070F9E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:03.575{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49890-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:08.733{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDEDBEF9F5CE4A74D8F8E46D866D923,SHA256=8434ED57996110FFDBA796F1B19CB544D58CDAA5198F9220950AF154B8098E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.736{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDC999FA231E36C5E10E27C59B35B02,SHA256=D2F8D03DA087AE9B21C2A18736BBDDF86BE2952445BAB6344B9536FC43536239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:08.704{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:04.593{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59261-false10.0.1.12-8000- 10341000x800000000000000011838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.995{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.965{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.960{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.952{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.947{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.933{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.925{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.922{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 23542300x800000000000000011830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.825{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2831E6D23C1552CA2A8701637A70160F,SHA256=C56B92B9B8E9730B644A8C588C52E38A5AD8103EA68BB543DDC0F555BFC260F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.915{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0B4FE057D2925EE1751A7F72C9549A,SHA256=6C985C797209FB44ED0753E7AA5D69EA36EF461D33EF211D83CDC0E2B9004A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:10.038{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9393E47790D5F55C3A6D2C7409B306,SHA256=16347E0752423C7606698B4496415DDD0CAA377F14E3E7099E57E231DA7A2DC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.087{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.084{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.082{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.081{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.077{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.075{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.074{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.073{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.072{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.069{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.068{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.068{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.064{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.057{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.055{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.050{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.041{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.028{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.026{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.018{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.013{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.007{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 10341000x800000000000000011839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:10.000{312A7A06-3346-63C5-1D00-00000000B002}19962588C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480850) 23542300x800000000000000011864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:11.986{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A067D5EFEC621F66987BAEFB8D891496,SHA256=5108C5E4226A3B57D1D9734B963FD5FBB8C0F7FBE9875C6E237B513C0B7F75F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:11.197{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EAF46B2CD54166B1155AD7F20C20A4,SHA256=6322CD98B468D8BB24C4ED5CED8E027CB6F64AEB6B9B0EC304EDE9FE32A1BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:11.004{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-016MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:12.922{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65B262AE692EC7F17358A1D0C8A9C1C1,SHA256=1E30C0D9B049BBBF9F730F5C75204DEFA694ACD0AA53D732C2A8E271AAF4BE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:12.309{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A390570611BB626E99212E4AB6F5A545,SHA256=EB5FFA73600593F3CA0C0EDB4172289952CEC338BF707F1B88F8CB1A3BD74EBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:09.580{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49891-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:12.004{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-017MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:13.409{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62124A8A82D9DDEE9E87602AD69B4B5,SHA256=2B597183AEF571206B0DC52A1942F433FCB391CF006B9CA009D09312C3B45D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:13.075{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A39AE1CDF5AA26EE188CCBF9CBDDF9,SHA256=75D946DA56A5B666CE6218212C686D47C08E683B814B3078C111EC180FB64F6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:10.266{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59262-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:10.266{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59262-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:14.524{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073BEE5BE7068355C924257EB94E027B,SHA256=AE0E6AD5E8C6D3CF5A792A2350EF886120FD5D1322FC98B01545800F2BA3B2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:14.159{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4072CD2BFE4E5F02D80F5913CCE60DE,SHA256=4100981E3B3E3F7AEF0743E9E493D350AB73AA20A0BEF1EA9CA04F75CA796A57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:10.533{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59263-false10.0.1.12-8000- 23542300x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:15.598{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40AE13CD7D90D7B7A704A336FECA5D7,SHA256=C05F48447A2B93FAA663CCF9FEA0A42D5DCE2E04C0EF360A4579364DE92B29FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:15.238{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93EDC030290EDEE7FA021953FEB10B20,SHA256=318231841DD0538BFE7200FCBB3A84EF307C849C8BD1848E99F5F972F1061DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:16.685{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C21A4B009DE23950FDEB2217865A0E,SHA256=21EAA6F362D4EEFBABB638325BB7884E9EF496BFE5C695049270AD59AEED98BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:16.315{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54776D9769139FBEFE507A1F7DA97F8,SHA256=F2ED2644AFE834713BC0F677D30902D623378453CF0B01A255FEC4CDF9EA2CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:17.780{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAEA9702EC994667FB7F1E211A463AE,SHA256=EAF53DDF2DEDCE9754D135E069FFAC9A2122D174B7E03614CE1D352BC39C7496,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:14.590{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49892-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:17.413{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4803E38FA5A541D82D3EDA0D95DC1070,SHA256=C12ED0A676B540BB5D5E02D93BDD08D54CFBCF36AC9C653796DEB62B9786DB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:18.879{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48BC8A0F96CE805D08031E3CC91752E,SHA256=3E8C5EBD2F525FFBEF46122383AF988521F4F671767F6723A8C4AAB84BAB25AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:18.743{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:18.493{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330A7322979CFE7072BB67C6CEC594D1,SHA256=1B770FAC265972B12A683BB247E8FB350EED2BAC35B06D8792E51C4005290772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:19.963{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523F2AA747FE210EF02DDA387EE7C44E,SHA256=AA10E1A511AE24C790A91022E55C31DC34AC73CBEC53B71269724CCE2552442F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:19.599{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E425075FDFAF77B0B61293043074D4,SHA256=38863264B20A2F67D5D9730873C264BE738C73DBC7F1D32B0263B3DBE508C085,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:16.519{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59264-false10.0.1.12-8000- 23542300x800000000000000011877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:20.691{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50A27A1B16C2FA78E3501F97CC74864,SHA256=0C93D16DAA88D7C524B302A19A903B4564FC7AFDFD21D6DD144AEE2CC9F06887,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:17.127{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49893-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000011878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:21.748{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625BE5E4966B8B8B0EF7E1931C1FFFD7,SHA256=8BE021184E2B10C5C6CD259AE6C3804AC88D76C0FE06A73C8BC06E0CAF3F1932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:21.065{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9944A3F0F28468A368E604F62B1E5E5E,SHA256=73B67337C2EC91F31F03F85FE7539A894B1BC63B8F8C4CFC0014CBEFAAFEAD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:22.818{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B35ADB44C68BFB2BA45C174EE3D2C80,SHA256=CEDCAEB3C90EA904CFE9A6A08F3A121BD1925D83F38C98662750E21B68C62A68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.583{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.579{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.281{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.270{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.263{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.259{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.257{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.231{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.226{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.215{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.208{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.203{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.172{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.158{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.150{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.143{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.140{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBD7572BFEBBB19D017FE5878439451,SHA256=BCF6BEA4A72B2991E1EFCB7EF214AD9F95F515A82439628FE69FE3EDBF6D9669,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.101{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:22.099{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:23.926{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4054A82895B4320AEA71C22E405460B,SHA256=F515C0B1A4A3708F490D777D9F437AFD0F29BA624E21D2F873578FB9B4E6DD2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.710{FCCA13C7-376B-63C5-6305-00000000AF02}39043564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376B-63C5-6305-00000000AF02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-376B-63C5-6305-00000000AF02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.553{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376B-63C5-6305-00000000AF02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.554{FCCA13C7-376B-63C5-6305-00000000AF02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:23.206{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1B95F193D0032E71900D75770D7679,SHA256=7A55769E996EFDDD212DCACDAC0DED325DD2414F0598164695D2DA73D4D25517,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:20.445{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49894-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.923{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2F093C92DE14FD52C17B0A515E458E0F,SHA256=801BACE5309E5E63D1EB7AC7D05247A0596CFB4BAB4DB953942B4FFA58132574,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376C-63C5-6505-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-376C-63C5-6505-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.688{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376C-63C5-6505-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.690{FCCA13C7-376C-63C5-6505-00000000AF02}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.623{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.622{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.619{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.618{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.616{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.611{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.532{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6A75EDE4D45AC42A5AB0EFE706201A1B,SHA256=B683A53FF5664F5086D9D9C74B174FB18CFF73816719B3B3813EA521C5B614CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.304{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD57C8A0388D09B7C232CA0DE05AFA20,SHA256=6892C0B8D5AB6FC09D90618E6CA892FD542A744EB153779A99F09770BB9AB6A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376C-63C5-6405-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-376C-63C5-6405-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.195{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376C-63C5-6405-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:24.196{FCCA13C7-376C-63C5-6405-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:25.022{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D41F34706242112E12862C8C792A2AC,SHA256=45944C975D4F53F26D36C5A1FDFEFC78D4C6E356E6ABFFCBEE8AFE4B815143CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.840{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0E18D19EFC9174C51232FE0B69B0F8,SHA256=9C2DCE221A412474E5A31E6F5ABF5435E0A4050F01B08DA8FA8849B030E2DDE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:21.695{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59265-false10.0.1.12-8000- 10341000x800000000000000028575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.575{FCCA13C7-376D-63C5-6605-00000000AF02}65847000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.545{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.542{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.542{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.365{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.366{FCCA13C7-376D-63C5-6605-00000000AF02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.236{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.235{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.209{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.197{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.194{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.172{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.166{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.150{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.148{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.146{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.144{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.143{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.140{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.137{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.136{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.135{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:25.134{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:26.100{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F9A9BC2F57AE54606C4E26530E3AC6,SHA256=65C9359D47A5759224906511DF5E0182CC50B185EE7701EE21AD2DA91D2C772E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.562{FCCA13C7-376E-63C5-6705-00000000AF02}69125508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.549{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.549{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.549{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 23542300x800000000000000028586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.386{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7631F2A974FF4155A53580B1771E09FA,SHA256=AE86B42F5C903C6B2010D63B351FAAF62D9BD39A0DBD4AC9FBABEAF0F9E09A13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.371{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:26.372{FCCA13C7-376E-63C5-6705-00000000AF02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.495{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B607AE9C2AD88F3804FE94CCEA0E7C7,SHA256=F66F628774BC189C4B2BC94302DFF4F4464FD60886F607DF7518B88EC82B5065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:27.779{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6E1839EBBB7BDDB2DF6C9BC3DE3265D6,SHA256=D5880E19AB017B8F2F65342C29BF4BA63B61E25CBDF718904349909595F2F8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:27.186{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5812CD4CD69E087238DDA8FA5967543,SHA256=6118B6C75810AEC5F8F5BEF5B4B779D663121571DECDDEEBD91106B7C86510A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.214{FCCA13C7-376F-63C5-6805-00000000AF02}60286852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-376F-63C5-6805-00000000AF02}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-376F-63C5-6805-00000000AF02}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.043{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-376F-63C5-6805-00000000AF02}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.042{FCCA13C7-376F-63C5-6805-00000000AF02}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000011887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:25.569{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49895-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:28.274{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E0CE4798E54DD2834250E72E892F9F,SHA256=62F479A2B3E9E9AA12C62370D85EFA4997FAA7946B6CDAA1837FA3C1A58AEB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:28.615{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E7503A1D02F18072560CAFFD313BB3,SHA256=128210FA96E98C51258C364BCE37A9CD85736A993BFDD62D2B5075D0E48C66A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.696{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B50C95F822F1B6FD2C1B7481EEE0655,SHA256=F5E43C1CEA84F41E750D34C2DCF1EA66677F110110B8402EBA23DC6AD6847B66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.997{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.955{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.950{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.940{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.933{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.926{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.918{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.915{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 23542300x800000000000000011888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:29.352{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86D9E2746CFA648779704FBAF8F751D,SHA256=D5D8E2C5E5228420717D0BD4B4A1BE4027E5A113644A43B01D9433819AAD6A25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-3771-63C5-6905-00000000AF02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-3771-63C5-6905-00000000AF02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.065{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-3771-63C5-6905-00000000AF02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:29.066{FCCA13C7-3771-63C5-6905-00000000AF02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.426{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D216EE20F625E163309CB8A8701B5D,SHA256=5A0C4E873C6C72B3FD8125B59F1F389676F47DE34F8629FD94D4EF6D84DE7091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:30.796{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDB2A1C278793AAF6C53AB9127B94F2,SHA256=A5EEE5981E54BC2851AC22402223A8DDFF34654A6DE9223E4D47B7357742AE31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:27.569{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59266-false10.0.1.12-8000- 10341000x800000000000000011919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.104{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.103{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.100{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.093{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.089{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.087{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.086{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.084{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.083{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.080{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.079{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.078{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.075{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.070{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.068{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.062{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.055{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.037{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.035{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.027{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.020{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.010{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 10341000x800000000000000011897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:30.003{312A7A06-3346-63C5-1D00-00000000B002}19962580C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012884CD0) 23542300x800000000000000011921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:31.611{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E520AE4B9944BE8A471C20E4A77A44CE,SHA256=6AE7B06427148DDA868227A4960FEC1D3EC7502DC8695425D38E835E198EFDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:31.888{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B5B67D99E7C95872F348A2E4870CFC,SHA256=C5EA060F64C04D36E80DB6AB50A086DB4C4B9691B1DCC0DC7F53C26B379AE4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:32.981{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54612E7D2BF667F498176C8BB31E350C,SHA256=35AA77E86A1C201AA9D095E9F0F13D228D286D667F70528FB44C29B2DC2CDC9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:32.703{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2C83B89E93BB44261FD6F4521B22D8,SHA256=558EB9CBF19FCC90639A19F98936FDA4E0D95EEF444801883B1D96287BB8FA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:33.772{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF404A55DA8F152E2B7A0EC6FA5B490,SHA256=914FA0FE142677AAB705DEAEC815F42792F7FA69BDBAD75C18C2DD24EFA0E866,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:31.474{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49896-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:34.856{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967A9460DF177CF2BBD3D75387805EA8,SHA256=648CA56E5BC7E34B596A9210150F900816F9F324131D8959AD7DBF2CEEB5A9E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:34.074{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1A57CA0C6F236BF39512DD21E0824F,SHA256=D83BE95922E35743703A437BC802833780E4CB2334F126D4426ED709E31FA6C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:35.955{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705CBB566055D02D2B7EE2FFAC0A01CE,SHA256=3CD930056FCB5FD7D435C459445F897F0BB3DAAFF1B475D24C608BC8315C5956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:35.148{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42497CF5FC856C007C5C851A05608E4,SHA256=969985E625251195D3386D25806C4F4CD88446D75F919C85D00E14B2024CC71B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:33.536{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59267-false10.0.1.12-8000- 23542300x800000000000000028617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:36.230{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFECD8EF658D84D0F4B338F88FD0067A,SHA256=066DC968AD2846F3E4CAE04F61FFDD1FCCFB9EF274C9037B548DBE1FCDE71EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:37.327{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7235E91AFEA7318805636453652A90B,SHA256=316982D6F1B88074C7602A05BBD20A7E65571A314B70E3475BC84560F9D1EC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:37.055{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379FCEDA3312034DC02D3463EE4F78BB,SHA256=5552C028D7CB33D51061094980FF34405472095248EBE2E60B5B73B5A71F95F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:38.426{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDB1C9E0326BF62DAADC958A058205E,SHA256=AB263949E1775E12A20DE6E1D6865D9801BCC4C5B0DA100113FB21C401B42E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:38.149{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223724093367BAF97F5268717BCE8A3E,SHA256=432EF9AA9D09107AB2A9CAD54DDFCCC44B37B58F002FA767F60C1BD3BFFC906E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:39.524{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422A4976F367121CD500E1BBD0DBD5C8,SHA256=EB432055217BE0C7D535D309ED6A627BBF2414DDF38F5AA137D0CC59708302E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:39.229{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A183DB01267F7E624EECABB1CB8DCD,SHA256=75F3FD512E19D8A7BF43E3AD2491F0BADF487FCC898D14E66D07D48371AB2B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:39.412{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-026MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:40.608{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B51C0D90D82DC14913E5FBEC46371F,SHA256=E031BCB6B8F23DB77D754F87D04645157390485ECD7C30D1C1396A65B0C17692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:40.304{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA9C2BF769EA964246D4DE32D228EE1,SHA256=56E011DFE158DDF9882D11583A8E17047AC6AD2A99424119A68B9AF6634A0BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:40.425{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:36.517{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49897-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:41.710{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8984538F67F64954C63CCBDDD7B71EC,SHA256=CBECC8E26DE0DFEFAAA9C8D200961517FF2359A386B0949461F2AD0113F94491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:41.388{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79015DB4488A499B59F7A021E0D55D57,SHA256=35E9F573AC19950AEAE14B336ED853DCB239454E712257EE6DFD51DEE1B48011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.857{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5061D86162B2AA439B065E5E3F16AEFD,SHA256=B9CEB709D131B3BA981DA7FAA4BEAC1CA7AF1E9800AB62E21A9393B8BE217492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:42.493{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5AB7D69FF6E72C61F57EDF430C6E2E,SHA256=9C01994F7D0FF7E2FDA1934C06D2D70DCABD366395613BB80F93C8C2B98FB9F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.688{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.683{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.324{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.313{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.307{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.303{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.302{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.297{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.259{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.231{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.223{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.218{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.180{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.172{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.155{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.146{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.100{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:42.097{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 354300x800000000000000028626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:38.649{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59268-false10.0.1.12-8000- 23542300x800000000000000028650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:43.972{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAE06299EA62FDB7BFAC78D647D391D,SHA256=641D3E9FACB26CA177D9DBE9545C51B8102612ACBF646CBB7980EB7AC885EC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:43.908{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=88AC40EC98D3703B22D3F5FFF7E9F86F,SHA256=6745801866A35D4BF4E5E088F7D07DD23E17B2BB92E7B2CCA1DFA27F7DB64C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:43.726{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0FE5EFABC7E72DFC6176FB05FFB936EA,SHA256=D8BF62B3F35E542E2075F0AD644273B209BA10F0C92A19759DD4AE83604820D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:43.570{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D8387A42DF2FCD6F8AA25A34F62047,SHA256=F96D8B7766D78718493E460EC1DEF9EEB2BD9B88A3A826A2C67DD72D91A2FF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.958{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF598A4CA9D995A684F617E2E6CAC062,SHA256=1540D65DC8B4A695FB7914BFC053E33C36AC75D8456B6D1F1C4CCC9E51F5C7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:44.653{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF85CB9DD83258D5A12C53F01D066B85,SHA256=70BF2A8B512CC46D46F4B1ED5958CF3E757AF7EFBD3074093BDA0665C8FCA2E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.725{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.724{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.721{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.718{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.717{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.712{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000011937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:45.733{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEF7245AA9A231A510A9034011781D2,SHA256=925DB7E5B08744F960DE8F13B62C918676459DD1462CA8DC5CD36730369C35CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.369{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.368{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.345{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.337{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.320{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.318{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.289{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.283{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.263{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.261{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.257{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.255{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.254{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.250{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.247{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.245{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.244{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000028658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:45.242{FCCA13C7-3392-63C5-AF01-00000000AF02}33766104C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000011939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:46.822{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2296144132AD22D121E4919D518AA8E0,SHA256=A8CE8FD0E618106C6BA55964440EC44ED12C4A0716E0E236581A435CE09D3D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:46.013{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACED68D8D325623BFBA5A074A1A4D5CC,SHA256=B02CF390E30052E5CC5D4C687B9FB13D6248B0178EFD9995AED3C72D93A0229D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:42.529{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49898-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:47.926{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936DC1926328CAE9657943EDE2027343,SHA256=BD94CA2A4AD8C757AC3DFA12FC128C4F82E3687FA1E0555C7FF82FBF3BA392A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:47.114{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771B05FAA14F0587CC29D688652882D8,SHA256=D3E9E5F8849A9DBA5B66AD5253111EC883E8DE98853F325AFD15947B87052888,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:47.143{312A7A06-3345-63C5-0D00-00000000B002}7763696C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:48.209{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0BE32FBEB48DA4B4FEAAA3C3422F1A,SHA256=1982F852A0156F569CC924C74072DEFAF489C13C345F91106DB82A6A200F3214,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:44.581{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59269-false10.0.1.12-8000- 23542300x800000000000000028682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:49.302{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5EB0898F058011B01BAE71E6AFA2A2,SHA256=558AE2965F020EAA1F68916C2AF53468C4F5F2E742002457B5B8F1794020439C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.987{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.977{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.965{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.956{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.944{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000011942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:49.014{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7500210108D968BC98C981BE563CA8E3,SHA256=91F675F297A9C82E4E07C2139DE38A263DFC5E44C280AB62C69169FD56415402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:50.412{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAE64EA6A376C9E64B2621A68A2D438,SHA256=577CB97C977701A0287382A90B46AC553DE4D4FB9CE7F18D51F4DDC777B776D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.177{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.174{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.171{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.170{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.165{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.161{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.160{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.159{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.158{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.151{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.146{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.141{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.138{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.131{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.128{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.118{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.106{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.094{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.089{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.083{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA67156ED58AEA480395D6148567AD4,SHA256=3868E6775E36CDB5C2711F73193DF5B17651CA2FA4C5FC095D2AEF473FF64938,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.070{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.065{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.060{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.053{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.049{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.022{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:50.008{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:51.141{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEFCD77D6CDAEFCA2CB87606B83223C,SHA256=20E22C79B17F9FDA62AA8430A052607805BE30420177811548809F972A97D732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:51.510{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940A981C4F21912EC9C3E31DA84511A5,SHA256=68A5F08E9CE05DE77D4062EC5DC303CA5516AADE0FFBC24E263D02C1B883FB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:52.597{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D323061CB19C761F4F9C4DF19F1FB9C4,SHA256=F3B9C574E7D168BD4AB04CFEA7F38C8A9ECE875501D1DCE1CC9E920BEDF12103,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:52.898{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:52.241{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293F1C3CBE0ED585AE152F6EC043B4ED,SHA256=4FF9FB994B5BD554E291FA755633B64D5F337163D99BA4723906329A28E00D7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:48.443{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49899-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:53.689{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7923B7A78A31B147970C436C5B07F863,SHA256=837BCFDB16B3E7B1D40EF54B041D764E7788FE0450BB45F6AAC34544056FE217,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:53.911{312A7A06-3345-63C5-0D00-00000000B002}7763696C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:53.304{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90459760960F91ECDDCA9585EB9A9341,SHA256=C95860F96DAB874341C2328C3EC29B83B0874E62506913D28C4ADF6604BA2971,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:49.657{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59270-false10.0.1.12-8000- 23542300x800000000000000028688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:54.775{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520B621A7DF11893259AFBB9A4CDE309,SHA256=AEC506E00941E0F75507A008899053B5F3494FFC675D291BD84B254159AA52B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:54.381{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9273AB9F1B35D65338F3ABDE0AA94E7,SHA256=88FEFE97193308B933BD42E282528B4442E3F6E61BAAB5B8B89E6C2B4F8B9EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:55.867{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08C71057C95554F872060587205EC11,SHA256=BB143724271CAA12E0EE88D3BEBB8DC14ED0607BFB145B7E6502953462FF7DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:55.482{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA732D1D86434E4079EBA398D46205A0,SHA256=91FC4319FBDBD94679FA141AA4CD6F6DFC639E59BA169CF1DB2BB1D68151FD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:55.071{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0AF7EF015FD02C3D69F204155A64550A,SHA256=E3A83947949A167D0E599B600AD4784CC87F2562D24E862BD5FB5844716AE8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:56.965{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7378A718DFAF10F1F47C6F70E227EFD,SHA256=73004DDEF0D909F5EBF6BC97406A28D9EF85596F0059A533541CC0441353E796,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.897{312A7A06-378C-63C5-9101-00000000B002}11282616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-378C-63C5-9101-00000000B002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-378C-63C5-9101-00000000B002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.647{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-378C-63C5-9101-00000000B002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.650{312A7A06-378C-63C5-9101-00000000B002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.585{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2805526A6D716E8B4176B572EA7F0947,SHA256=21202A0BAB5820C1877CEDC89E04964703F3FAF934966FE38F89F0D540FDE543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.470{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9D4A3B7668F55875339931F43A46516D,SHA256=EF511C94126C4DC95F9325395728288405EFD2F961079A8C9E7325A9FA9A1A4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:53.485{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49900-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000011995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-378C-63C5-9001-00000000B002}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-378C-63C5-9001-00000000B002}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.104{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-378C-63C5-9001-00000000B002}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:56.105{312A7A06-378C-63C5-9001-00000000B002}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.705{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC3A80EFCCA450D1995A3EA5ADC6D20,SHA256=BD112761EAB1CF8AADA7F82129E372ADA3B29B3C1090D3F2D2B3D5507BF112AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:57.445{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-378D-63C5-9201-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-378D-63C5-9201-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.263{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-378D-63C5-9201-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.264{312A7A06-378D-63C5-9201-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:57.123{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C5E8EC34200DC75EFF11220BA7B193,SHA256=533848E4FD2D36F82A8AE0BA3BA6F1E82ABFD72ED0E16C61B79BB21C5742A3D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-378E-63C5-9301-00000000B002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-378E-63C5-9301-00000000B002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.824{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-378E-63C5-9301-00000000B002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.826{312A7A06-378E-63C5-9301-00000000B002}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.809{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48956102ED2E37F6971FF4EA41C11CB7,SHA256=FE2C0FF0071528A6C150B6D5846EEDCCBAF872469A9391325F61ADC02264136F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:58.055{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6549E0B02E024DF20217DA987B88E674,SHA256=629D951F2C9BBCB9CF1829BCC3F2DB566863BC7A324F8C344879094490256854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:58.192{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=79591088F092F45A8AE00CA4F3655FEB,SHA256=02862CD7C43940650A666A281A77C4C6ECEDB79DABDE4E7409126C2D71CB1A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.942{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A92428BACBB27F745210F493A52F5D,SHA256=A53F4A5A1A8FD726303EA53091307FAF2B48739DE51BCB97771FD166063DBFAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.911{312A7A06-378F-63C5-9401-00000000B002}34363020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:55.905{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59272-false10.0.1.12-8089- 354300x800000000000000028695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:55.628{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59271-false10.0.1.12-8000- 23542300x800000000000000028694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:39:59.139{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369838A473F21C0238D524C00CD91EB3,SHA256=D5D60F227AAF4B7E52ECFA7C8F1BD1F4AE1A0D06B112BD43AD61FCCFAD1F429B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.686{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-378F-63C5-9401-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-378F-63C5-9401-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.680{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-378F-63C5-9401-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.681{312A7A06-378F-63C5-9401-00000000B002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.143{312A7A06-378E-63C5-9301-00000000B002}1124400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:00.258{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D284268DADC74463A5963721E4BD8C80,SHA256=233D699BC8762A2869B26062ED267F45AF5D58299E130032208BE3258D7B126C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.512{312A7A06-3790-63C5-9501-00000000B002}27163376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3790-63C5-9501-00000000B002}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-3790-63C5-9501-00000000B002}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.356{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3790-63C5-9501-00000000B002}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.357{312A7A06-3790-63C5-9501-00000000B002}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:01.358{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12574976EBB2EF080DF4FAF9A68AC533,SHA256=D20A03DF9C5D2694C9E10636EC319FF152643699959C773DA6D04E3705FB1EE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-3791-63C5-9601-00000000B002}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-3791-63C5-9601-00000000B002}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.335{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-3791-63C5-9601-00000000B002}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:01.336{312A7A06-3791-63C5-9601-00000000B002}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:00.994{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DBB9C3BAA2603D96E89979B6FCEEBF,SHA256=D08FCF39273F4762672BFDC21FAA57021F82D46B784695A7C9EA8517C0F33EDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.728{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.724{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000028718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.425{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209CB363FF0994C2B843EE689EB1C2E8,SHA256=3F82512D62E0938992F8274EAC317F14DC27EE2E3C7CEF02AFB661F7531350F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.394{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.383{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.376{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.372{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.369{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.367{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 354300x800000000000000012088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:39:59.424{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49901-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:02.086{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6A71EBDB321A4E7F348F33F9628324,SHA256=EA86570A4F543D123B3B0851FE0F981544303DBDC12B4D36B40F1AE09939A01B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.331{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.324{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.304{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.295{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.290{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.250{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.240{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.228{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.219{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.206{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.195{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.123{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:02.110{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000028721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:03.387{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF091FD859D739D17822A68782CE2B3,SHA256=2FF2869B5B289699A65B9BC97988A7BA125B8256C30153AD3ABA61A508895612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:03.203{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7897C5EC974FCC7CBA4153E7A521AA3B,SHA256=EC6542BAEDECA5F880ACE8059FD2249ACD8541C57FF5D4ACF10FAC85CF59CBB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.781{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.779{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.774{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.768{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.766{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.760{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 354300x800000000000000028727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:00.725{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59273-false10.0.1.12-8000- 10341000x800000000000000028726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.517{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.517{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.517{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.504{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:04.482{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21364C6235567511018089DC55FCEB4E,SHA256=9FE7B88F89D22B1E441D58421831FAAFCEEB1AF1544194B7E3F1FDB25638FEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:04.305{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8BB0A1B53CF6221F0528B8BF839958,SHA256=BC39887B3C618F452BE3CE0ED7B4EAFFE7BDE2E2F944D142EF44B0C5B6125679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.979{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08266061DD6D5880945AC73C271B5C86,SHA256=4196BC23833780F553C3A5E66B03F146048C8C19E00DD721933E423916C6F59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:05.384{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581286578317B49356FD46E860F3CA3D,SHA256=E24EC90C7FE64D81363F3DD5117C4DB0A4F95ED1E6E2007B097952384A1E1116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.443{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.438{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.411{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.403{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.384{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.381{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.344{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.335{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.317{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.312{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.310{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.305{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.303{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.301{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.297{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.294{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.293{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.292{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.291{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000028734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:05.288{FCCA13C7-3392-63C5-AF01-00000000AF02}33764408C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000012092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:06.475{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278DF84F05971D18A43F31F261F2D64A,SHA256=8B475FE28F00128A186AD5F01CFD0E74EFF812FE7B1C8BCFB6C2E46B8D516014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:07.570{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878C873D5246A2C90A412A09514CA318,SHA256=61EFEE4258D79643F4C61F6045821930AC78FCEE2A50271E276F33AE1C7EACF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:07.091{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FD3095D7CFF9EDE75BEB96C2D140C9,SHA256=7EF86F612621B8202C4E9B27837BA105320AA7BB2062FB9AFDE75A321F6C188F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:08.662{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F9F8B944EA1FBDAD5AFD476352706C,SHA256=F0BC28DC889C061F30A05E7647EC7C65B5FB6EB7239B8E655FE335F3A006DCD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:08.179{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20950357BB7998F5097B836A7A533F84,SHA256=90A59212A4B4E704EBF61FC70D092DDC64E69388123E7BD3D7FC22F6B35FA076,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:05.456{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49902-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000012103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.970{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.960{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.952{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.943{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.934{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.925{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.920{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000012096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:09.752{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91560C2C1D3A8062B746B6071622FDC3,SHA256=1ED761DE0C49F2677689E20781971FDD5332C1A3E8FA13F2C81BBFFBFE6B4683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:09.274{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083D468F2F0AC5BF22C650CB2AD62D41,SHA256=43475EB4116DEB72DFEF8AF1A654B1722C7B45EDDC2A94A6D9B13DE5EB597471,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:06.593{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59274-false10.0.1.12-8000- 23542300x800000000000000028758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:10.366{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCECC7BCC1FF2F35BD837E02C8F396B1,SHA256=FCCC9239DB8932F80C881E30BDCF66CB2BC813A3BD031918DF4D8FD8DAB94FA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.135{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.128{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.124{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.123{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.117{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.112{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.111{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.110{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.109{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.107{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.105{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.103{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.099{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.093{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.091{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.085{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.076{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.055{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.049{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.040{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.032{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.020{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.012{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000012104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:10.004{312A7A06-3346-63C5-1D00-00000000B002}19962340C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000028760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:11.470{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8BB12D867F56BFC72399D48B62F8A2,SHA256=EB952E25BD8E6715024AD5ED182950453F5F54824F4CB31400E088CE162A52DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:11.084{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5032A515E605AFCDFC1D0770D722B436,SHA256=E3EE23BB1439536EB8EB38BF6633323E898D774F7FF9070536DA9CFFAC118014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:12.895{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7291F7676362B0472CEFCF76F9A4A8F7,SHA256=1859C99691F53E04CF63D1EDF4C059603772EFB01A48153CB63E41E6C74295FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:12.567{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A6D76249AF509BB097AEB64110403A,SHA256=54322C94898E8B88F51C56268F79B32F347D086A1219410D124995C69FE74ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:12.523{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-017MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:12.161{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07137EB10D0CC58383DD0B59C0AF3823,SHA256=25CC8E8683D9ADC6DECF7D56F449EDF19AE5EA7CB54C0A414697AC49C0EA9DF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:10.275{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59275-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000028764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:10.275{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59275-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000028763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:13.649{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3812257E147F72953EE852644FEA3E5,SHA256=3BE0708C77CCCE1CB76A42C77F329BDF5B60B2929BA4D5B28A2D54CB4A050C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:13.534{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-018MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:13.267{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AFA351DB2121FCB666D695FFBD89FC,SHA256=024BF7FEDD3D00B86C050C16937F57B245819585B2CFEAEF6363C56A54E1CE92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:14.741{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8230779211376C72521F153F13A5419F,SHA256=8D26641D6A1A2F851988DE6F7D06DE7D4BAC6D2707F846E39A93B387472BC564,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:11.445{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49903-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:14.351{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7386D150DBD760B1F01CE962C6612DB,SHA256=EB9D5215855A60D52512B2DD9D70D35ED8FD2B97BBBEBEE5058F157F3485CB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:15.812{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3CBF6A322EBEAE06D6DDE5A236BF84,SHA256=8F302A81B08961BE828C788778069CBCA9F994207596A4150CF3360DF1DA4219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:15.447{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E8FB756E3EC46CC66CA4F09047283C,SHA256=CA138CD173754D0E76E4EFB810D60A13E3751C4DA67A0325A6A5B85E7A5CAD1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:16.903{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFD5CBB9D13EEEB5EEB814FDD869F4A,SHA256=E3A19AE6F8DA49B0334980684AF968923725D12979E91FAD7B960345A0E1CE12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:16.562{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7DE5C5BEB2491D9D482DA58B653599,SHA256=69835B80E0DDE96630B66EC972F4C6B254A9DE3184874A28326406C4DD4DEF8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:12.501{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59276-false10.0.1.12-8000- 23542300x800000000000000012137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:17.656{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7505D5A823C86CF5178A893EFA9D380C,SHA256=7C31B41893E86E9E431568A4619D3C8C376D0D6E0E02DDC1B1F0568D6D0DDD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:18.765{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806D9C1CD61D5FBF4A92182B124E4F3D,SHA256=3217BA174657895FC1AF7D5E0A374947DBC3E4F1E01DCD6B62A86CCF1944F182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:18.749{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:17.998{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D412073A2FE225C0B5FB17058437D461,SHA256=9A8B252650D14A2290D8058A70BCB2DBEED2608F89417B7BC716769A982AB3F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:19.867{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684BC8B03C21929F09DC1C32A4E75BAC,SHA256=833E147552FDAE8E164A367A4D9FA34FDD756EC97A90C277480A75B9631D46AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:19.086{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4850B477C5138EE115E25E3290FED91,SHA256=92FBC8DACAEDE78F136CAA12B8B4331E2FF1C08CCFABBA6567647199A8F756B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:16.489{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49904-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:20.936{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E4A9616BC2EBAE71783F7FE9C92104,SHA256=69C2D8F061FAFF971D9CF5416C034DF927723B111932A2414E882D49D5378B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:20.169{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7103BB2D77F566650296DDAC1E38BEB1,SHA256=BBB14175E171FE3ACF10CEE945E24F1BD4CB544014C694A058341D038C9B2B32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:17.735{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59277-false10.0.1.12-8000- 10341000x800000000000000028783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.582{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.582{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.582{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.582{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.579{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.579{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.578{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.578{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0A00-00000000AF02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.575{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.575{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 23542300x800000000000000028773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:21.258{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0507998E2AAD67F5694D9374D7FA0D,SHA256=ECD6E8BB855A6FD7B55B61649C9B7F1154179B55DF0D9CAE8ABEAA14D451F16D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:17.130{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49905-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x800000000000000028806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.705{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.701{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.376{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.364{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.356{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.327{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F159D39C241F2C2F258139BA2D3F6DAD,SHA256=0E1293AB6278D9634ACA43AFC99FF3850C723C291528F5589337637D87C88294,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.282{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.275{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000012144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:22.026{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122AF69C419C9B7029F28DB8B10D96E4,SHA256=39A1AF1DADB9F6C2F6C31BDCCE20ADA711E576F9DBF500EC75ACC5C652E1EB1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.244{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.228{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.187{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.175{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.145{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.099{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:22.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.726{FCCA13C7-37A7-63C5-6A05-00000000AF02}37844624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.693{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AB9F479ACAB947C41E15C1BE7585B09D,SHA256=4C6C25FC08068C20445EFFCC102189B4DEDF62A9C0A511885604686947341AC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.606{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.606{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.606{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.605{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.605{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.605{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.543{FCCA13C7-37A7-63C5-6A05-00000000AF02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.386{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654439375126BD4670386A03DAED272F,SHA256=97F39F4801FA02C0102A3B20CF8A249740EDC79442B2E4AC511F8B5F2D88F759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:23.136{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A495678C31749CDB3632A64B464B1044,SHA256=A0B2073A81C9A0DD86AC73D2022C7BBA37E47C4F621509E5B77E030E5DF00244,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37A8-63C5-6C05-00000000AF02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-37A8-63C5-6C05-00000000AF02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.852{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37A8-63C5-6C05-00000000AF02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.854{FCCA13C7-37A8-63C5-6C05-00000000AF02}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.761{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.760{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.756{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.755{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.753{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.748{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.476{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C09280213F4D8EBCAAF7D290386297,SHA256=E869B11B8500FF9B19428FE3ECDA045204862CD46CB263C635900E178365D5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:24.227{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55FFF29216F0486D2F105FD7EF44D85,SHA256=73241260D2ACF397D128931226E7DE77B3A2882DC3E77073ED5985DFD4520FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.208{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0152C3C700456A2DC20C288A311C2847,SHA256=9EAB9D1A8DE559651A048C625270F8824D47D24F240F3A34BEE785E9FF0A4F40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37A8-63C5-6B05-00000000AF02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-37A8-63C5-6B05-00000000AF02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37A8-63C5-6B05-00000000AF02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:24.193{FCCA13C7-37A8-63C5-6B05-00000000AF02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.956{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EC5941C7A513C0161AA272159CF52A,SHA256=3F30A9FA7C599ABD7D276802A73F951902853A77232FE820A00B5072F69E5896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.692{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.665{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.665{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.665{FCCA13C7-3392-63C5-AF01-00000000AF02}33766092C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00610) 10341000x800000000000000028875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-30EB-63C5-0500-00000000AF02}4121036C:\Windows\system32\csrss.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.531{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.532{FCCA13C7-37A9-63C5-6D05-00000000AF02}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000012148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:22.467{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49906-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:25.323{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6553A4308E7B0FF635414FACAA219FB,SHA256=55B3321836A18B33039A433F4A7BF068EE38CD51474BCEB5B4F4C2ED1B0F74C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.387{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.386{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.360{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.353{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.314{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.307{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.295{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.290{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.289{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.283{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.280{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.277{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.276{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.276{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.275{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:25.273{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000012149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:26.424{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DEB24CC93ABE1731564AEA28569960D,SHA256=903905A67433D19A766BD0C8E8922F3D5A27FD6514AC5F73674DEBC07723B578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.650{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3138F25E46988202FFF811ECEBE03117,SHA256=44664C154D96DC667F098DDE45B778C747805E5C31C1AFC0ACF13F1222F26338,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.542{FCCA13C7-37AA-63C5-6E05-00000000AF02}69285600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37AA-63C5-6E05-00000000AF02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-37AA-63C5-6E05-00000000AF02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.385{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37AA-63C5-6E05-00000000AF02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:26.386{FCCA13C7-37AA-63C5-6E05-00000000AF02}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.641{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EBCC5911A35AB58493EE00332730C0,SHA256=02C99651496C0DB021768C2F9D02142C8C343C94B8437F6B9C385469A9235E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:27.530{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5560B16758BB7CB1EB8A53102EB9CD38,SHA256=4F90E440040C6C1E595A0C00F271B710BB5491AE7A2639DCB7D56F68C7AF9DF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.246{FCCA13C7-37AB-63C5-6F05-00000000AF02}24245752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37AB-63C5-6F05-00000000AF02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-37AB-63C5-6F05-00000000AF02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.045{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37AB-63C5-6F05-00000000AF02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:27.046{FCCA13C7-37AB-63C5-6F05-00000000AF02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:28.622{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420C0D331DEE4BC47B133CE563B63EB7,SHA256=4B3056406D7EEAAB880A393AB97F394B804D48486B32DC799837E6302431B76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:28.575{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EA5CCB323D1DC8C2A1F95B22D66DED77,SHA256=F9E2D49F9137EE08BB4E4F980D0EDDC5B4C9E70E0F732F656ADBA49D1F389A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:28.734{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C011535A9F02F86A6A184D927958CEF,SHA256=D5C41CC3EC333F4EEB3506808C1947829A716EAFC955179B3D748E50860FA2CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:23.609{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59278-false10.0.1.12-8000- 10341000x800000000000000012160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.973{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.964{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.953{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.944{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.937{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.929{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.926{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 23542300x800000000000000012153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:29.614{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA26DF8CDECAB1938B2AD72BA4C6CCE4,SHA256=DBA61B2D7257056266D8432170090935F46D715EF26A46591548A1F09BCB87FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.818{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B17060BBC6B290CEDD67892BF4B16F,SHA256=A3B525BB15136BBCB1A85B34AE25ED76E9A32C5E26D6E54907020FA622651AEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-37AD-63C5-7005-00000000AF02}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-37AD-63C5-7005-00000000AF02}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.061{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-37AD-63C5-7005-00000000AF02}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:29.062{FCCA13C7-37AD-63C5-7005-00000000AF02}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000012185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:27.617{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49907-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:30.904{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9443D1D5820AD0EB23D90863AC1377F5,SHA256=5449F4720B1D451DEE3840C10373E8CB69820CFB50F31337757FFB656B674A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.101{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.099{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.097{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.096{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.092{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.090{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.089{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.088{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.087{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.085{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.084{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.082{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.080{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.075{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.073{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.069{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.059{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.040{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.038{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.030{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.024{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.018{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.009{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 10341000x800000000000000012161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:30.003{312A7A06-3346-63C5-1D00-00000000B002}19963760C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019968CD0) 23542300x800000000000000028913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:31.988{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710AE755605EEFCEFB13D0CFD0A2EEF3,SHA256=821A76882A8D50C85A2D00A4D814D60D9FF4BFE1753F58116E03B1EDAFDAC77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:31.058{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7654A2974967357F1491878D4322018C,SHA256=78DFE1B71FA7D3131B790A3851B3F39B87ECE51C785ADF7966FB4C855A027164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:32.039{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E291BE640933BE0F4C685316991C0CD,SHA256=94BC34207D8581F958A0129994D97106B3DA75BD834AA3381C262EDF741B7471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:33.152{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB3B45628C9F9DA335F83235D48889A,SHA256=67A7A3DF91FF1DE45C1E0B8BD39D55C4E2C14723B9B410978218D9EB0581762D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:28.717{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59279-false10.0.1.12-8000- 23542300x800000000000000028914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:33.086{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B277903F89EB723296B68B556075110,SHA256=846C18A778C38DD20367F7BB1067562DC01C8F0FCA2859E30B33DD1A29179E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:34.234{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC96300D112A2FFFE3E1EF39466A5D3,SHA256=3410FF542D0CA3969D96541595480B10150398BF9387D72306461951A1E7E79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:34.166{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3E7016557447A0F36CFE54FA4DB020,SHA256=EC3AF8D51B1424BBACF3AC0BC41324CB6B2C8A7A48A991664477DEE8F2E6DA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:35.324{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1E6B41E642E8A0159762065D3A9F8F,SHA256=40936A418E425E3B6E8AA986445BCCAC11727B64DB4EA12FB59F1B3CB6A1C515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:35.273{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C43F11F3F70A1839896CFF2A6A37B0F,SHA256=2F6CF8B53F3E5C5866B27EA0775B2AC3E741EB7A0EF4EFD630097E24C23B99FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:36.416{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE5C9A2B98A47B488A04881DF340B96,SHA256=F86DCC46504387B73DE03DC8F05A2AC2BC35F6BBD6026149BB3AE38B637A8F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:36.354{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A21D926CD93054648F87446ACFA2A0,SHA256=ED34813D6B310F0BAD37E52AB9D242EC0F8CE5FE26751A43FD322A324F8CF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:37.515{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF53DDB92A214207FDD6205F491CD3D9,SHA256=4E7934CFDE061020D067EBBCC842A0F10507AF37ECEE1B1A8A2F2CB0F83E64BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:37.439{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D0CBC15383FB7BB208139333C02C62,SHA256=79BA31C2A3D0F0613E41E8B869A9177BF5A8823DF9095B145C564AF499CF1FF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:33.579{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49908-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:38.614{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFFBE81A40EDFB9D4D138A5438F0923,SHA256=8D62DE454075F100B229DE2352C0DC59E943A13C8A275305891B5F71624C56CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:38.537{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D9226DB7A32531742BD6FE0F5C78E5,SHA256=BBDB55497C51B37218F49FC360342DED3B0929B7EFBFE4B693195552666678A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:34.583{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59280-false10.0.1.12-8000- 23542300x800000000000000012195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:39.706{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DBBFA2DB25E3C4CB9179D4C028093C,SHA256=E7303196AB7F7955485123DEBB8E7969804C4780EC377A5445E30605264D8A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:39.623{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8550BCE61D8E284E023D72D15203CF6B,SHA256=B515921551502D6FC9D5372118649B1FDBC0472DC8C08F9CA80CC847107A9EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:40.810{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD3046E7964EB485FA290DDD7E6F9D3,SHA256=3DE246184D9A3C30B9AF87D2E21B466EA3E256484512BBAEDCDE043C57EAD523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:40.945{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-027MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:40.718{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E450FB13768534CF8F053076A895B01,SHA256=ACE9A365B98E49CA27C6900AA3D94BC6741D633AFB75FFFEA3536F13C74593A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:41.902{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD145C5E29EA068799B00E340A1A070,SHA256=62308FBD60A2F9596982D94A45A05A7D313CBD9DFAEF3C05E7DD5BF3234AAA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:41.943{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:41.816{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCC178A280FB7650851A795F56A35B0,SHA256=DA0A5057EB58612928E50E556061C6B7AEA703B9850A62EAE995C58E7206294A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.858{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3315D604FCEDA283A6D821B217382CB0,SHA256=E1E6F054B96103B9141F335C840E80D6EEA029833FEDA857121D40C25CFA0BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.799{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.793{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.389{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.377{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.365{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.359{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.356{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.355{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.301{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.296{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.276{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.252{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.199{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.184{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.150{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.140{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.098{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:42.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000028951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:43.971{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA71C7F9C8951278A19074B34EFD8C9,SHA256=3A359E9C7F7977D02F16F58BD9818BFAC01FE9A41ABB346DF6D8335E75F31CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:43.909{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A94DA1488268529A2AB148B64357E5A8,SHA256=1A7ADB05A74ABC2D63DC8BC91900A451F2BD3056187FC5585118656C0121706C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:43.737{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6D35657FC09C27E780CB16409B5D04A3,SHA256=F54DEBEFF49C43EC23B9DDA390A57EE1F6CD9DEE7C0DB3E9A4DF3A9AAEEB24DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:39.571{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49909-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:43.002{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6886B622C3CD319CFD9A971EC7F3C591,SHA256=77D9CE990BCB1B01AFEF4EB7508830BCF632858E7F9364E3288BF82C3306FAFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:39.622{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59281-false10.0.1.12-8000- 23542300x800000000000000028958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.951{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376F5F47455B7E60F5D3DBE3839DFA1E,SHA256=4A8C1DC67F47BB4480A201B4E2740031F6C81BA710260FDFF08DEFEB31C6CA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:44.103{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF4FA67A20B7626DD8DC26845D00037,SHA256=CCACABB3F88D098465EF56462858469C3FD7CF1A6F4997B307A767C8D35B47BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.829{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.828{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.824{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.822{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.820{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:44.815{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000012202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:45.200{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7FAAE9A8277DE476311F99C3F24D1D,SHA256=B8C1B90830DB335E71ACA291222DD968D42BBB943013067833D959675A46145D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.497{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.495{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.458{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.449{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.431{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.427{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.392{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.384{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.367{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.360{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.358{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.355{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.352{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.351{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.347{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.344{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.342{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.341{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.340{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000028959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.338{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000012203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:46.300{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206AE95CED7052B1F591BC07B60292FB,SHA256=E869A7005A6E0585CF3BBC28A167CD70ECB7B9F097DC0AA0859D1FD9FA65997A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:46.023{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57C0E67724F990E3B69BD99188799C3,SHA256=C86D4DDC6639897B79AD716B8F031EA1FAB10589F6F0CBD1DA40C77E78570900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:47.391{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54819127F4E405230843DC008588481E,SHA256=F5BD8FFEC0DC7B6BE3F94C721F1FC5C31016A0EB9F0013FBF5D5B5BADA06BA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:47.120{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2C3C2965C3D36117BE25EF17AA769B,SHA256=F72D72905E8D919D8EAD77A204F317FAA6EDDCBEB171D09D63816CB8B55D39CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:48.478{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83933DA8759308D74833D843974B1069,SHA256=D1D17BB8374FE51C0F2AE1E15A050D587344D325F25423BF47A76A8D23D90A6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:45.474{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49910-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:48.210{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9037146ED06995CDB33A5F65FF567ECB,SHA256=BB39294E45DCAAF20503B5248980EBDFBA562DB78155DF53E0A74D4B9D57ABA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.992{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.982{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.970{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.964{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.946{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.942{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.939{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000012207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:49.560{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0FF437F29779245EEE818D45CE2832,SHA256=2437AC7DDFE8878E5CD682D0C3162E9FF90E6F0A2B5FF5B7F2DBFF5864B1F4E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:45.583{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59282-false10.0.1.12-8000- 23542300x800000000000000028982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:49.299{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65CC14C2BC5768C84B4AE9D3C7C952A,SHA256=7F73BA4ED9079F4AD9A92B052B87A3A0FCC0DDEB07CFF62E581530EB693A835B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:50.394{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FC6A27527A2992782FDF9144D37270,SHA256=2900901CDBBC139C27733A913609E07F156E71E5F38AC01EE01554D4C6DB7F81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.143{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.141{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.139{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.138{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.133{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.131{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.130{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.129{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.129{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.126{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.125{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.124{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.122{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.117{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.115{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.109{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.103{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.086{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.083{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.075{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.068{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.059{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.047{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.035{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 23542300x800000000000000028986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:51.489{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=345463C02B5B7D6B60F53FBB6628892A,SHA256=E73A873ECBA5394CE6812819BA19F82614B193ED17D95DE2FDCA055D63650B59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:51.489{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D4054446A013FB77AC243D3A24CDDB,SHA256=7F72B524E1BF164AB99B5CA5B76963102450275B6A9A7E7049EDEE48829E34C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:51.043{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6177C81C768B30EF98D4FACB6ACB1354,SHA256=8CECC24A0B386764AC61EF2CC4A1CF9687D79EBBC629109823568E12B72B0780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:52.586{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263DC5263A466CDDAC9024AA1519AAD0,SHA256=3734DA361713A57E704BBFC9F1579661579D1B2B3297DE14403D196E352A8CA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:52.916{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:52.916{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:52.916{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:52.900{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000012240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:52.181{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E0EB2360A1F65F99CA634B2F9A0735,SHA256=BB6BDE8E22935EE78DF3AA24D8132DDE6F7B77D37C9ADD013938CD69F7DB8E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:53.699{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E99637EADB7C74F76D159D7B60A38E5,SHA256=4BA33411FBE323E5A2EC72EBD8FBACD25E6900E8ADBDF37035BF8946D94BE0B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:50.623{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49911-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:53.277{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF1F28F64B395EB3EB7E9EDD424960A,SHA256=A937F52186BDBCB02FE14C40E352858AB14D3CE61F29E0F805842C22F0B3968F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:50.598{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59283-false10.0.1.12-8000- 23542300x800000000000000028991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:54.787{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AE6AB740DCFEB2074F023E53393268,SHA256=E50BD3778F37B3642DF4F4BCEA9AB34EC1521BC944459EB92354FFAACD2326DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:54.383{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7E6F4CB4837517568587E879DF9BEA,SHA256=AE216BEDAA163635A3F5E677741430236E261DBCCB5429992EE1D4632211014D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:54.336{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AA9283FC009E52058D56024DF0CC0DF4,SHA256=A6D6A985F320203CF1CFDAD4287CD40587E8A8718081AC618A650B1A025AF66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:55.875{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C032C77AB79ADD373FA88431121310,SHA256=8A2FB7439AE1E1EEA7C4A9DC42F991592A89938FAB599003DC7FFE3B203F8CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:55.471{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0275212D2020F7F891B2142E921D84A9,SHA256=83AEEA9781C26850F1E826F51D52D6560B6BD8E8583A2B81568663A50C201849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:56.966{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CBE93E0256B3A0B5F49F07F4E4D34D,SHA256=0F2D1E857B8DF1CC3F425F4B49C5DEE17243F2EEDD9974D10C11F8704C816F59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.824{312A7A06-37C8-63C5-9801-00000000B002}23962408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37C8-63C5-9801-00000000B002}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-37C8-63C5-9801-00000000B002}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.636{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37C8-63C5-9801-00000000B002}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.638{312A7A06-37C8-63C5-9801-00000000B002}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.574{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22CB78F4DF1E5D9E0306A3C867B10833,SHA256=0B0630B07D978C931D3324F6253CED1E10A8F029D1FACC084B40657FA2BBC676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.355{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9ED556CCDFF12CF75401D85A2B84A3C2,SHA256=791C0335D89F00ADAB4945513302798919375F141344632EC47ED16A6856B655,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.281{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.281{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.281{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.123{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.124{312A7A06-37C8-63C5-9701-00000000B002}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.808{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E0821748BF9907C72EDA0A4601C1E1,SHA256=6C31E263A3BE8B14FA11E94B0EE2A80C8262D89A9223547E08BBBE6F0B1CFCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:57.453{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.255{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37C9-63C5-9901-00000000B002}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.254{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.254{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.254{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-37C9-63C5-9901-00000000B002}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37C9-63C5-9901-00000000B002}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.253{312A7A06-37C9-63C5-9901-00000000B002}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:57.236{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15799D9DD618B104D5A7035B1E64A1FF,SHA256=FCC57FAFA187EC7D91DBBD547A10C9600E659F28AA82695DD8304A92D0328EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.893{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8897F84E3B02E3BC66AA69655CA0C7DC,SHA256=90813D76C2079A5FFFBF8CF4C1007179B1B077857538DD5576357CE5A764B213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37CA-63C5-9A01-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-37CA-63C5-9A01-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.846{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37CA-63C5-9A01-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.847{312A7A06-37CA-63C5-9A01-00000000B002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:58.064{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AB353669D50B31415FD86ED3A821B7,SHA256=2BC6CA5F14926A4DA720A3EDEC77C71AF6ABDDA0D4A02D0FD535AD1B350225B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:58.534{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=116FA34C8A472504A94783A69EA6B520,SHA256=D0BADB3BCAC0563720BB8C550B9195F668C04ADE158130659F8371A5754FEFE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.847{312A7A06-37CB-63C5-9B01-00000000B002}5803960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:56.604{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59285-false10.0.1.12-8000- 354300x800000000000000028997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:55.932{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59284-false10.0.1.12-8089- 23542300x800000000000000028996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:40:59.159{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBEF707C3734B9CA350CFB6CD670B57,SHA256=EB091162DA46890DC486A6CD0D290A4D12F846D47DAE62E0F023C6E6E5F8A420,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:56.568{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49912-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000012324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37CB-63C5-9B01-00000000B002}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-37CB-63C5-9B01-00000000B002}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37CB-63C5-9B01-00000000B002}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.682{312A7A06-37CB-63C5-9B01-00000000B002}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:40:59.002{312A7A06-37CA-63C5-9A01-00000000B002}39561072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000012348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.865{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00803C0A0B1FE0103D8B1A8009B7BF2,SHA256=FBD5E2A64F4E380B00B0523938E2AAC34DFDFB0D559F2F82288A99B25000310A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:00.259{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DF77366532FF0A0FF42642E3469CA0,SHA256=98D45D18EBD4F492DC9DF0A6E36E18032CD59AFC971F10AA1FBE29576CF1BA9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.374{312A7A06-37CC-63C5-9C01-00000000B002}33122748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.352{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.352{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.352{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.351{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.351{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.351{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000012340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.215{312A7A06-37CC-63C5-9C01-00000000B002}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:00.212{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A192C7A51923AD765401291CD7D126,SHA256=36247CFCC50087F5D67B3FCCD90D2FBC27A618E28D49F1E0FB9CE08986C8FBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.969{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B62A8174D748720E0A998C2BA2BC40,SHA256=BD51AE065DE9270449C7E90E5645054709D05A3A8087AAB539A28B69E3552C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:01.349{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3C8641CDA21FE1342C831FAF5E61FC,SHA256=0DB90C313A3930F42B0AC576A93A2F1E382A7DD1E74D1D64AF058619BF7D53DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.340{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-37CD-63C5-9D01-00000000B002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.338{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.337{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-37CD-63C5-9D01-00000000B002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.337{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-37CD-63C5-9D01-00000000B002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.337{312A7A06-37CD-63C5-9D01-00000000B002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.837{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.831{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000029020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.417{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED9A1560D882403CDA17CC7FFCEF777,SHA256=B7DD88F3E0BB64D80A1DE1AC8F257B4A46A702ED930AC2D42A12B50C2DA12747,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.393{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.381{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.370{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.366{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.364{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.361{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000012363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:02.388{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF02D69DED69D9F8B56394713814397E,SHA256=BB321F9EB8615D8220A54BE819EB2D56B6F00DD6897A529CCB0C150F0BC30378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.315{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.306{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.286{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.275{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.269{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.232{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.222{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.205{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.197{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.118{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000029001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.112{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 23542300x800000000000000029023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:03.569{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D238F7F54F4FFA60B1A80D3DC92FBBF7,SHA256=21F4933BE0E0A0D94E4AD27387DFA18A1E7E52C8F8FF3B7032E8CC0489B98E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:03.049{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA9BFC797277279C5CE03941A954020,SHA256=E63C7CAAFBD8B10153986FFBCA3C55F435719CA5615880E2E032BCB5BDFBA69B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.883{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.881{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.876{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.874{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.872{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.865{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000029028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.662{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BB4B9B5CA46F0EB65AC3D786F97FC7,SHA256=1E6614F13853635762B1716540DE6E5942D851B238D7F0DD7C8E00AF4A0A80C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:01.615{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49913-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000012365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:04.135{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549F8E47F0A46F13F64B86EE3612B41A,SHA256=710394B7BCB40BD098DC3A66B7A810AA69BDCDCEC0CB57BA3217F806EDBD4D62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.516{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.516{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.516{FCCA13C7-30EC-63C5-0B00-00000000AF02}6283276C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:04.501{FCCA13C7-30ED-63C5-0C00-00000000AF02}848960C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.725{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98EC055A3755DE3E4E14A230D99179C,SHA256=48D2CEEE93270BFA1D38AA0AEC11D7303BE51D33B5C07A1A82DDD5B48F3F722D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:05.218{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756863B1A8CACF7ED06D6BD8C7BE415A,SHA256=259739D04A927CF314E5A30D05C6B2210A946E4407DC647A76780A0E0D7C990F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.534{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5D05-00000000AF02}6076C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.533{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3734-63C5-5C05-00000000AF02}4364C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.510{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.503{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.487{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.484{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.446{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.435{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.419{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.414{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.412{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.409{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.405{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.404{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.400{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.396{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.395{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.394{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.393{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 10341000x800000000000000029035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:05.389{FCCA13C7-3392-63C5-AF01-00000000AF02}33764328C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B36190) 23542300x800000000000000029057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:06.809{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF93C53D0C3A032FD99FD618CB3CB8CE,SHA256=F9E1181F1B833A544AA70399BA49AB35B682F473B815E06AA35523B24C397D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:06.316{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637D9F799DA9BA16A0B09B83466D5CD4,SHA256=70C2959B0D4D68542154445F24A70DE464FD5EF3F516CEF1F89485BEECC8DC47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:02.536{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59286-false10.0.1.12-8000- 23542300x800000000000000029058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:41:07.903{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93A9174593DC41BFEFFECBB851E95EB,SHA256=1E98F853EE4A02947DE14D83E1FF933222D0B3BC33CB843B4E0615387F7725A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:07.409{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC7A7C2B1757A2EC557C27A724B6D59,SHA256=DA713630AE3495984830921ED079ECB79A57B7954F9541D143E8842DFDFDC8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:08.496{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C41CC1A86EF8084C6E3E9F40B94863,SHA256=EEBFD10122B7D2F5701192785F24C0FD7B3A33DCDD42D491CB63C47CAA43C8A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.999{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.994{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.988{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.982{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.977{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.954{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.949{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.942{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190) 10341000x800000000000000012375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:41:09.936{312A7A06-3346-63C5-1D00-00000000B002}19962576C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000125FC190)